CVE-2023-46621

Vulnerability

Overview

The User Avatar plugin for WordPress versions 1.4.11 and earlier contains a reflected Cross-Site Scripting (XSS) vulnerability. This flaw arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary JavaScript into web pages generated by the plugin. The vulnerability is classified as High severity with a CVSS score of 7.1 [1].

Exploitation

Method

To exploit this vulnerability, an attacker must craft a malicious link or form and trick a privileged user (such as an administrator) into clicking it or visiting a specially crafted page. Successful exploitation requires user interaction, as the injected script executes in the context of the victim's session. The attack does not require authentication, making it accessible to any unauthenticated actor [1].

Impact

If exploited, the attacker can inject malicious scripts that execute when other users visit the affected site. This could lead to redirects to malicious sites, defacement, theft of sensitive information, or further compromise of the website. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites indiscriminately [1].

Mitigation

The vulnerability is patched in version 1.4.12 of the User Avatar plugin. Users are strongly advised to update immediately. If updating is not possible, applying a mitigation rule (e.g., via a web application firewall) can block attacks until the update is applied [1].