Title: Cross Site Scripting Vulnerability
Last modified: August 21, 2016

---

# Cross Site Scripting Vulnerability

 *  Resolved [Aaron](https://wordpress.org/support/users/akeith2002/)
 * (@akeith2002)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/)
 * I’ve been told by some client’s security experts that these following fields 
   allow exploits of XSS:
 * Page: /password-­recovery/
    Username or E-­mail Page: /register/ Username First
   Name Last Name E-­mail Password Repeat Password
 * When pasting this string: a'”/><script>alert(2703)</script>
 * I believe this probably needs a filter or something on the plugin end to correct?
 * Thanks!
 * [https://wordpress.org/plugins/profile-builder/](https://wordpress.org/plugins/profile-builder/)

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Author [Cristian Antohe](https://wordpress.org/support/users/sareiodata/)
 * (@sareiodata)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/#post-5100973)
 * Hi Aaron,
 * You’re right! We’ll update the plugin by the end of the day in order to take 
   care of this type of exploit.
 *  Thread Starter [Aaron](https://wordpress.org/support/users/akeith2002/)
 * (@akeith2002)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/#post-5101015)
 * Really appreciate the quickness of your response!!!
 * There are actually 2 more smaller items they mentioned:
 * **Finding: Cross-­site Request Forgery Vulnerabilities found in Client Community
   Site**
 * Description:
    Cross-­site Request Forgery Vulnerabilities exist on the Client
   Community Site.
 * The affected pages are:
    /members-­login/ /members-­login/password-­recovery//
   members-­login/register/
 * Although the vulnerabilities do not pose a significant security risk they should
   be mitigated in production.
 * Sample Request/Response with vulnerability
    Recommendations: For some understanding
   on how to mitigate these vulnerabilities: [https://www.owasp.org/index.php/Top_10_2013-­A8-­Cross-­Site_Request_Forgery_(CSRF)](https://www.owasp.org/index.php/Top_10_2013-­A8-­Cross-­Site_Request_Forgery_(CSRF))
 * **Finding: Remember me checked by default on Client Community Test Page**
 * Description:
    When you navigate to /members-­login/ the remember me button is
   already checked. This poses a security risk to access control for users who log
   in on shared computers and public machines. Although the vulnerabilities do not
   pose a significant security risk they should be mitigated in production.
 *  Thread Starter [Aaron](https://wordpress.org/support/users/akeith2002/)
 * (@akeith2002)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/#post-5101016)
 * Not sure if the first one makes sense to you… the link they sent doesn’t work.
   I think they probably meant this link: [https://en.wikipedia.org/wiki/Cross-site_request_forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery)
 *  Plugin Author [Cristian Antohe](https://wordpress.org/support/users/sareiodata/)
 * (@sareiodata)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/#post-5101017)
 * Hi Aaron,
 * Thank you for sending these our way.
 * The XSS exploits are already fixed in the latest verion: [http://wordpress.org/plugins/profile-builder/changelog/](http://wordpress.org/plugins/profile-builder/changelog/)
 * I’m going to document my self regarding the second ones and see how we can fix
   them.
 *  Thread Starter [Aaron](https://wordpress.org/support/users/akeith2002/)
 * (@akeith2002)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/#post-5101019)
 * Again, I cannot thank you enough!!! A+

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Cross Site Scripting Vulnerability’ is closed to new replies.

 * ![](https://ps.w.org/profile-builder/assets/icon-256x256.png?rev=2961144)
 * [User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor](https://wordpress.org/plugins/profile-builder/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/profile-builder/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/profile-builder/)
 * [Active Topics](https://wordpress.org/support/plugin/profile-builder/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/profile-builder/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/profile-builder/reviews/)

## Tags

 * [xss](https://wordpress.org/support/topic-tag/xss/)

 * 5 replies
 * 2 participants
 * Last reply from: [Aaron](https://wordpress.org/support/users/akeith2002/)
 * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-vulnerability/#post-5101019)
 * Status: resolved