EUVD-2026-36809
GHSA-c4ch-mh98-q8x5
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
PR:L reflects required subscriber account; S:C captures cross-user browser execution; A:N as XSS carries no realistic availability impact on the vulnerable system.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.
AnalysisAI
Cross-site scripting in ProfilePress WordPress plugin versions up to and including 4.16.13 allows authenticated subscribers to inject malicious JavaScript payloads that execute in the browsers of other users - including administrators - who view affected content. The CVSS scope change (S:C) indicator confirms this is a stored or reflected XSS that crosses privilege boundaries, enabling low-privilege users to target higher-privilege accounts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target WordPress site must have the ProfilePress plugin installed and active in versions ≤ 4.16.13; (2) the attacker must possess or obtain at minimum a subscriber-level WordPress account on the target site - open registration (the WordPress default) satisfies this; (3) a higher-privileged user (e.g., administrator or editor) must interact with content rendered from the subscriber's profile, such as visiting a profile page or an admin panel section that displays subscriber data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.5 (Medium) reflects a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a vulnerable WordPress site running ProfilePress ≤ 4.16.13, then inserts a JavaScript payload (e.g., a cookie-stealing script or admin action forger) into a profile field that lacks proper output encoding. When a site administrator or privileged user views the subscriber's profile page, the payload executes in their browser context, potentially allowing session token theft, unauthorized administrative actions, or persistent backdoor installation via admin-accessible plugin or theme editors. … |
| Remediation | Update the ProfilePress plugin to any version released after 4.16.13; however, an exact confirmed patched release version is not independently verifiable from the available input data - administrators should check the official WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-user-avatar/vulnerability/wordpress-profilepress-plugin-4-16-13-cross-site-scripting-xss-vulnerability for the current patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today