CVE-2021-24654 — Cross-site Scripting in User Registration

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 33.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpeverest User Registration

Timeline

PublishedOct 4

Latest updateMay 24

Description

The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDwpeverest/user_registration< 2.0.2

🔴Vulnerability Details

GHSA

GHSA-f9cp-vx85-2fm6: The User Registration WordPress plugin before 2↗2022-05-24

▶

CVEList

User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting↗2021-10-04

▶

VulnCheck

wpeverest user_registration Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2021

▶