CVE-2021-24450

Name of the Vulnerable Software and Affected Versions User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin versions prior to 3.1.8

Description The issue allows high privilege users, such as admins, to set JavaScript payloads in some settings, even when the unfiltered html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue. This occurs because the plugin does not properly sanitise or escape some of its settings before saving and outputting them back in the page.

Recommendations For versions prior to 3.1.8, update to version 3.1.8 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high privilege users to modify settings that could be used to inject JavaScript payloads.