Description
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
Exploits (2)
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/64267134-9d8c-4e0c-b24f-d18692a5775e
Scores
CVSS v3
5.4
EPSS
0.1332
EPSS Percentile
94.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lab Environment
COMMUNITY
Community Lab
Details
CWE
CWE-79
Status
published
Products (1)
wp_html_author_bio_project/wp_html_author_bio
< 1.2.0
Published
Oct 11, 2021
Tracked Since
Feb 18, 2026