WordPress ProfilePress Plugin <= 4.4.1 is vulnerable to Cross Site Scripting (XSS)
CVE-2022-47444

7.1HIGH

Key Information:

Vendor: WordPress
Status: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Vendor: CVE Published:; 29 March 2023

Summary

An unauthenticated reflected Cross-Site Scripting (XSS) vulnerability exists in the ProfilePress Membership Plugin, affecting versions up to 4.5.3. This vulnerability could allow attackers to inject malicious scripts into web pages viewed by end-users, leading to unauthorized actions and potential data breaches. Users of this plugin are strongly advised to upgrade to the latest version to mitigate risks associated with this security flaw.

Affected Version(s)

Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.5.3

References

https://patchstack.com/database/vulnerability/wp-user-ava...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 29, 2023
Vulnerability Reserved
Dec 15, 2022

Credit

pilvar (Patchstack Alliance)