CVE-2024-1046: 
WordPress vulnerability analysis and mitigation

The ProfilePress WordPress plugin (formerly wp-user-avatar) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-1046) in versions up to and including 4.14.3. The vulnerability exists in the plugin's 'reg-number-field' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was discovered by Ngô Thiên An (ancorn_) and was publicly disclosed on February 1, 2024 (WPScan, Wordfence).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The issue stems from the plugin's failure to properly validate and escape the reg-number-field shortcode attributes before outputting them back in a page or post where the shortcode is embedded (NVD).

This vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. When users access the affected pages, these malicious scripts will execute in their browsers, potentially leading to various attacks including data theft or session hijacking (NVD).

The vulnerability has been patched in version 4.14.4 of the ProfilePress plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).