The discovery of CVE-2023-6067 in WP User Profile Avatar plugin underscores the critical need for heightened awareness of security vulnerabilities within WordPress ecosystems. This flaw poses a significant risk to website integrity, potentially leading to unauthorized access and control.

Main info:

PluginWP User Profile Avatar <= 1.0.1
All Time62 220
Active installations5 000+
Publicly PublishedMarch 25, 2023
Last UpdatedMarch 25, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Plugin Security Certification by CleanTalk


November 15, 2023Plugin testing and vulnerability detection in the WP User Profile Avatar plugin have been completed
November 15, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 25, 2024Registered CVE-2023-6067

Discovery of the Vulnerability

During rigorous testing, security researchers uncovered a vulnerability in the WP User Profile Avatar plugin, enabling malicious actors to execute Stored Cross-Site Scripting (XSS) attacks through the plugin’s shortcode feature. This flaw empowers contributors to embed malicious scripts, paving the way for account takeover.

Understanding of Stored XSS attack’s

Stored XSS exploits leverage vulnerabilities in web applications to inject and store malicious scripts in unsuspecting web pages or databases. In WordPress, such vulnerabilities allow attackers to execute scripts when unsuspecting users interact with compromised content, leading to account compromises, data theft, or further exploitation.

Exploiting the Stored XSS Vulnerability

Utilizing the POC shortcode provided, attackers can insert crafted payloads into new posts, camouflaging malicious code within seemingly innocuous content. When unsuspecting users view these posts, the injected scripts execute within their browsers, enabling attackers to hijack user sessions, escalate privileges, or steal sensitive data.


[user_profile_avatar size='” onmouseover=”alert(/XSS/)”‘]


The exploitation of CVE-2023-6067 presents grave risks to website owners and users alike. Attackers can leverage compromised accounts to disseminate malware, deface websites, or launch phishing campaigns. Furthermore, the stolen sensitive data could lead to identity theft or financial fraud, damaging reputations and causing financial losses.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-6067 and similar vulnerabilities, WordPress website owners should promptly delete their WP User Profile Avatar plugin. Additionally, implementing robust security measures such as regular security audits, web application firewalls, and content security policies can bolster defenses against XSS attacks. Educating users about safe browsing practices and encouraging the reporting of suspicious activities can also enhance overall security posture.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2023-6067, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2023-6067 – WP User Profile Avatar – Stored XSS via shortcode (Contributor+) – POC

Leave a Reply

Your email address will not be published. Required fields are marked *