Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography

The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WordPress 插件跨站脚本漏洞

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 Wordpress Plugin Youzify 中存在跨站脚本漏洞，该漏洞源于产品的 /widgets/about_me/ 链接未能正确处理用户输入数据。经过认证的攻击者可通过该漏洞设置跨站脚本有效载荷来查看敏感信息。以下产品及版本受到影响：Wordpress Plugin Youzify 1.0.7

N/A

N/A