WordPress WP Symposium Plugin 'get_profile_avatar.php' Cross Site Scripting Vulnerability

Bugtraq ID:	51017
Class:	Input Validation Error
CVE:	CVE-2011-3841
Remote:	Yes
Local:	No
Published:	Dec 12 2011 12:00AM
Updated:	Dec 12 2011 12:00AM
Credit:	Secunia Research
Vulnerable:	WP Symposium WP Symposium 11.11.26
Not Vulnerable:	WP Symposium WP Symposium 11.12.8

WordPress WP Symposium Plugin 'get_profile_avatar.php' Cross Site Scripting Vulnerability

The WP Symposium plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

WP Symposium 11.11.26 is vulnerable; other versions may also be affected.

WordPress WP Symposium Plugin 'get_profile_avatar.php' Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

WordPress WP Symposium Plugin 'get_profile_avatar.php' Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for details.

WordPress WP Symposium Plugin 'get_profile_avatar.php' Cross Site Scripting Vulnerability

References:

• Release note of V 11.12.08 (WP Symposium)
  
• WordPress Homepage (WordPress)
  
• WP Symposium Download Page (WP Symposium)