CVE-2021-24654 User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting

2021-10-0411:20:17

CWE-79

WPScan

www.cve.org

0.001 Low

EPSS

Percentile

25.0%

JSON

The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed

CNA Affected

[
  {
    "product": "User Registration – Custom Registration Form, Login And User Profile For WordPress",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.0.2",
        "status": "affected",
        "version": "2.0.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/5c7a9473-d32e-47d6-9f8e-15b96fe758f2

0.001 Low

EPSS

Percentile

25.0%

JSON

Related for CVELIST:CVE-2021-24654