5 matches found
CVE-2021-24672
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
CVE-2021-24672
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
CVE-2021-24672
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
CVE-2021-24672 One User Avatar < 2.3.7 - Contributor+ Stored Cross-Site Scripting
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
CVE-2021-24672
The CVE-2021-24672 entry concerns the WordPress plugin One User Avatar (versions prior to 2.3.7). The vulnerability arises from failure to esc ape the link and target attributes in the plugin’s shortcode, enabling a user with as little as a Contributor role to perform a Stored Cross-Site Scriptin...