VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 11, 2021· Updated Aug 3, 2024

WP HTML Author Bio <= 1.2.0 - Author+ Stored Cross-Site Scripting

CVE-2021-24545

Description

The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing HTML sanitization in the user Bio field allows stored cross-site scripting."

Attack vector

An attacker with at least the Author role can inject arbitrary JavaScript into their user Bio field because the plugin does not sanitize HTML [ref_id=1]. When any visitor loads a post authored by that user, the malicious script executes in the visitor's browser. If an administrator views the post, the script can steal session cookies or perform actions on behalf of the admin, potentially leading to privilege escalation [ref_id=1].

Affected code

The WP HTML Author Bio plugin through version 1.2.0 does not sanitize the HTML allowed in the user Bio field. The advisory does not specify the exact file or function responsible for the bio output, but the vulnerability lies in the plugin's failure to filter or escape HTML before rendering the bio on the frontend.

What the fix does

The advisory states that no known fix is available [ref_id=1]. To remediate the vulnerability, the plugin should sanitize the HTML allowed in the user Bio field—for example, by stripping or escaping script tags and other dangerous HTML elements—before storing or displaying the bio on the frontend.

Preconditions

  • authThe attacker must have at least the Author role in WordPress.
  • configThe WP HTML Author Bio plugin (version <= 1.2.0) must be active.
  • inputA victim must visit a post authored by the attacker on the frontend.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.