← Back

One User Avatar

one_user_avatar

Vendor: Onedesigns • 2 CVEs

CVEs (2)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2021-24675
1Onedesigns
1One User Avatar
Jun 17, 2026
Oct 18, 2021
N/A· v4
6.5 MEDIUM· v3
4.3 MEDIUM· v2
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avata...Show more
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attackShow less
CVE-2021-24672
1Onedesigns
1One User Avatar
Jun 17, 2026
Oct 18, 2021
N/A· v4
5.4 MEDIUM· v3
3.5 LOW· v2
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks