CVE-2022-0233

Name of the Vulnerable Software and Affected Versions The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin versions up to and including 1.2.7

Description The issue arises from insufficient escaping via the pm user avatar and pm cover image parameters in the ~/admin/class-profile-magic-admin.php file, allowing attackers with authenticated user access to inject arbitrary web scripts into their profile.

Recommendations For versions up to and including 1.2.7, update to a version that includes the necessary escaping for the pm user avatar and pm cover image parameters to prevent Stored Cross-Site Scripting. As a temporary workaround, consider restricting access to the ~/admin/class-profile-magic-admin.php file to minimize the risk of exploitation.