Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the User Profile Builder WordPress plugin. It occurs via the 'gdpr_communication_preferences[]' parameter due to insufficient input sanitization and output escaping. Authenticated users with Subscriber-level access or higher can inject malicious scripts that execute when other users view the affected pages. Exploitation requires the GDPR Communication Preferences module to be enabled and at least one GDPR Communication Preferences field added to the profile edit form.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow attackers with low-level access to inject malicious scripts that execute in other users' browsers. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim user. It compromises the integrity and security of user data and interactions within the affected WordPress site.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the User Profile Builder plugin to a version later than 3.14.3 where the issue is fixed. Additionally, consider disabling the GDPR Communication Preferences module or removing any GDPR Communication Preferences fields from the edit profile form until the update is applied. Limit user roles to trusted users only and monitor for suspicious activity related to profile editing.

Useful 0 Not Useful 0