The One User Avatar WordPress plugin prior to 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
onedesigns one user avatar |