CVE-2021-24672

Summary

The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affected Software

VendorProductVersion RangeStatus
UnknownOne User AvatarUser Profile Picture2.3.7 < 2.3.7

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

References