CVE-2023-4798 – User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2023-4798

25 Sep 2023 — The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks. El complemento User Avatar de WordPress anterior a 1.2.2 no sanitiza ni escapa adecuadamente a algunos de sus atributos de shortcodes, lo que podría permitir a usuarios con privilegios relativamente bajos, como los contribuyentes, realizar ataques XSS almacenados. The User Avatar – Reloaded... • https://wpscan.com/vulnerability/273a95bf-39fe-4ba7-bc14-9527acfd9f42 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •