Cross-Site Scripting Vulnerability in NotFound Private Messages for UserPro
CVE-2025-22322

7.1HIGH

Key Information:

Vendor: Notfound
Status: Private Messages For Userpro
Vendor: CVE Published:; 21 January 2025

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the NotFound Private Messages for UserPro plugin, allowing attackers to inject malicious scripts into web pages viewed by users. This issue affects versions from n/a up to 4.10.0, enabling reflected XSS attacks that can compromise the security of affected sites and their users.

Affected Version(s)

Private Messages for UserPro <= 4.10.0

References

https://patchstack.com/database/wordpress/plugin/userpro-...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 21, 2025
Vulnerability Reserved
Jan 3, 2025

Credit

Bonds (Patchstack Alliance)