PT-2021-16168 · WordPress · User Registration

Ayecode Ltd

Published

2021-10-04

Updated

2021-10-08

CVE-2021-24654

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions User Registration WordPress plugin versions prior to 2.0.2

Description The issue arises from the improper sanitization of the user registration profile pic url value when submitted via the "user registration update profile details" AJAX action. This could allow any authenticated user to perform Stored Cross-Site attacks when their profile is viewed.

Recommendations For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the user registration update profile details AJAX action to minimize the risk of exploitation. Avoid using the user registration profile pic url value in the affected AJAX action until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-24654

Affected Products

User Registration

PT-2021-16168 · WordPress · User Registration

CVE-2021-24654

Weakness Enumeration

Related Identifiers

Affected Products

References · 5