CVE-2021-24522

Name of the Vulnerable Software and Affected Versions User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) versions prior to 3.1.11

Description The issue concerns a lack of proper escaping in the widget for tabbed login/register, which could be exploited in a cross-site scripting (XSS) attack. This attack could potentially lead to access to the wp-admin section. Additionally, the plugin incorrectly assigned $ POST as $ GET in several places, allowing the issue to be replicated using only $ GET parameters without the need for $ POST values.

Recommendations For versions prior to 3.1.11, update to version 3.1.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the tabbed login/register widget until the update is applied. Avoid using the $ POST and $ GET parameters interchangeably in the plugin's configuration to minimize the risk of exploitation.