The plugin does not sanitize and escape several form fields before outputting them to pages on the site, allowing authenticated (admin+) users to inject arbitrary web scripts even when unfiltered html has been disabled (such as in a multisite setup).
CPE | Name | Operator | Version |
---|---|---|---|
wp-user-avatar | lt | 4.5.1 |