WordPress · Userpro · CVE-2018-16285
**Name of the Vulnerable Software and Affected Versions**
UserPro plugin versions prior to 4.9.24
**Description**
The issue allows for XSS via the `shortcode` parameter in a `userpro shortcode template` action to the "/wp-admin/admin-ajax.php" API endpoint.
**Recommendations**
For versions prior to 4.9.24, update to version 4.9.24 or later to resolve the issue.