CVE-2021-24654
Description
The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed
CWE
- CWE-79 — CWE-79 Cross-site Scripting (XSS)
Affected
- Unknown / User Registration – Custom Registration Form, Login And User Profile For WordPress — v=2.0.2 <2.0.2 [affected]
CVSS
- (none)
References
Source
cvelistV5-main/cves/2021/24xxx/CVE-2021-24654.json