WordPress Extra User Details Plugin <= 0.5 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The Extra User Details plugin for WordPress, versions 0.5 and earlier, contains a stored cross-site scripting (XSS) vulnerability. An authenticated attacker with administrator-level privileges can inject arbitrary JavaScript into extra user profile fields (e.g., Facebook, Twitter, LinkedIn links) which are stored in the WordPress database and executed when other admin users view the affected fields [1].

Exploitation

To exploit this vulnerability, an attacker must have administrator access to the WordPress site. The attacker can then navigate to the plugin settings or user profile editing page and input malicious script payloads into the extra fields (such as social media links). These payloads are stored without proper sanitization and will be executed when any admin user views the modified user profile page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This could lead to session token theft, unauthorized actions performed on behalf of the victim, or defacement of the admin dashboard. The impact is limited to admin users and the WordPress admin area due to the requirement for admin authentication [1].

Mitigation

The vulnerability is fixed in version 0.5.1 of the Extra User Details plugin, released on an unspecified date (as per changelog: "Fixed vulnurabilities" in 0.5.1). Users are strongly advised to update to version 0.5.1 or later. No workarounds are documented [1].