CVE-2026-41556

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the ProfilePress plugin (wp-user-avatar) for WordPress, affecting versions up to and including 4.16.13 [1]. The flaw allows users with subscriber-level privileges to inject arbitrary JavaScript into profile fields or other input areas that are later rendered without proper sanitization. Successful exploitation requires that a privileged user (e.g., administrator) interacts with the injected content, such as by viewing a profile page or clicking a crafted link [1].

Exploitation

An attacker must first have a subscriber-level account on the target WordPress site. They can then inject malicious script code into a vulnerable input field (e.g., profile bio or custom field). The injected payload is stored on the server. To trigger execution, a privileged user (such as an admin) must perform an action like visiting the affected profile page, clicking a malicious link, or submitting a form that renders the payload [1]. No additional network position or authentication beyond the subscriber account is required.

Impact

If successfully exploited, the attacker's script executes in the context of the victim's browser session. This can lead to unauthorized actions such as redirecting visitors to malicious sites, displaying advertisements, or injecting arbitrary HTML content into the website [1]. The attacker could potentially steal session cookies, perform actions on behalf of the victim, or deface the site. The impact is limited to the browser of the interacting user, but due to the stored nature, multiple users may be affected.

Mitigation

The vulnerability is fixed in ProfilePress version 4.16.14 [1]. Users should update the plugin immediately. Patchstack has also released a virtual mitigation rule to block attacks until the update is applied [1]. No other workarounds are provided. Given that this vulnerability is expected to be exploited in mass campaigns, prompt patching is strongly recommended.