CVE-2025-68080

The User Avatar - Reloaded plugin for WordPress (versions 1.2.2 and earlier) contains a stored cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be permanently injected into the site's content [1].

Exploitation requires user interaction from a privileged role (such as a site administrator) who must perform an action like clicking a malicious link or submitting a crafted form. Once executed, the injected script is stored within the WordPress backend and rendered for all subsequent visitors [1].

An attacker can leverage this stored XSS to inject arbitrary HTML or JavaScript payloads. This may include redirects, advertisement injections, or other malicious scripts that execute in the browser of every guest browsing the affected site [1].

As of the advisory, immediate action is recommended: update the plugin to a patched version if available. If updating is not possible, users should ask their hosting provider or web developer for assistance. The vulnerability is noted as being frequently used in mass-exploit campaigns [1].