CVE-2022-47444
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using the ProfilePress plugin. When victims view pages containing the injected scripts, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites running ProfilePress plugin version 4.5.3 or earlier are affected.
💻 Affected Systems
- ProfilePress (formerly WP User Avatar) WordPress plugin
📦 What is this software?
Profilepress by Properfraction
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the WordPress site, install backdoors, deface the site, or steal sensitive user data.
Likely Case
Attackers will typically steal user session cookies to hijack accounts, redirect users to malicious sites, or display phishing forms to steal credentials.
If Mitigated
With proper Content Security Policy (CSP) headers and input sanitization, the impact is limited to potential script execution in victim browsers without server compromise.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited using simple payloads in URLs or form inputs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ProfilePress plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.5.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable ProfilePress Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate wp-user-avatar
Implement Content Security Policy
allAdd CSP headers to prevent script execution from unauthorized sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in URLs and form inputs
- Enable WordPress security plugins that provide XSS protection and input sanitization
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → ProfilePress version numberCheck Version:
wp plugin get wp-user-avatar --field=versionVerify Fix Applied:
Verify ProfilePress plugin version is 4.5.4 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests containing script tags or JavaScript code in parameters
- Multiple 404 errors for URLs containing suspicious parameters
Network Indicators:
- HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads
SIEM Query:
source="*access.log*" AND ("<script" OR "javascript:" OR "%3Cscript" OR "%22%3E%3Cscript")🔗 References
- https://patchstack.com/database/vulnerability/wp-user-avatar/wordpress-paid-membership-ecommerce-registration-form-login-form-user-profile-paywall-restrict-content-profilepress-plugin-4-4-1-cross-site-scripting-xss?_s_id=cve
- https://patchstack.com/database/vulnerability/wp-user-avatar/wordpress-paid-membership-ecommerce-registration-form-login-form-user-profile-paywall-restrict-content-profilepress-plugin-4-4-1-cross-site-scripting-xss?_s_id=cve
