CVE-2017-18566

An attacker can inject malicious JavaScript into the WordPress admin interface through unsanitized input fields in the User Role plugin. The vulnerability is classified as Cross-Site Scripting (XSS), meaning the plugin failed to properly escape or validate user-supplied data before rendering it in the browser [ref_id=1]. An attacker with the ability to submit crafted input (e.g., via role names, capability names, or other plugin settings) could cause the payload to execute in the context of an administrator's session, potentially leading to privilege escalation or data theft.

The advisory does not specify which files or functions contain the XSS flaws. The changelog entry for version 1.5.6 states "Multiple Cross-Site Scripting (XSS) vulnerability was fixed" [ref_id=1], but no patch diff or file paths are provided.

The vendor addressed the issue in version 1.5.6, as noted in the changelog: "Multiple Cross-Site Scripting (XSS) vulnerability was fixed" [ref_id=1]. No patch diff is available in the bundle, so the specific escaping or sanitization changes cannot be described. Users should update to version 1.5.6 or later to remediate the issue.