CVE-2026-41556 - ProfilePress Stored XSS Research Plan

1. Vulnerability Summary

The ProfilePress plugin (formerly WP User Avatar) is vulnerable to Authenticated (Subscriber+) Stored Cross-Site Scripting in versions up to 4.16.13. The vulnerability exists because the plugin fails to sanitize or escape user-controlled profile data (specifically fields associated with a "Customer" entity) before rendering it in the administrative dashboard's "Customer Details" metabox.

An attacker with Subscriber-level access can update their own profile information with a malicious payload. When an administrator views that user's record in the ProfilePress "Customers" menu, the script executes in the admin context, potentially allowing for full site compromise.

2. Attack Vector Analysis

• Vulnerable Endpoint: The "Customer Details" metabox in the WordPress admin area.
• URL: wp-admin/admin.php?page=ppress-membership-customers&view-customer=[ID]
• Input Source: User Profile fields (e.g., First Name, Last Name, or Billing Address fields) updated via the ProfilePress "Edit Profile" or "My Account" forms.
• Authentication Level: Subscriber (or any role capable of editing their own profile information).
• Vulnerable Sink: src/Admin/SettingsPages/Membership/views/customers/data-metabox.php.

3. Code Flow

1. Source: A Subscriber submits an "Edit Profile" form. The data is saved to user meta (e.g., first_name, last_name, billing_first_name).
2. Retrieval: When an admin views the customer, ProfilePress\Core\Membership\Models\Customer\CustomerFactory (inferred) creates a CustomerEntity object for that user.
3. Sink: The file src/Admin/SettingsPages/Membership/views/customers/data-metabox.php renders the data:
   • Line ~36: <span class="customer-name"><?php echo $customer_data->get_name() ?></span>
   • Line ~101 (Billing Section): printf('<strong>%s</strong>: %s', esc_html($field['label']), $detail);
4. Failure: $customer_data->get_name() is echoed directly without esc_html(). While $detail in the billing section uses wp_kses_post(), wp_kses_post allows tags like <img> and <a> which can be used for XSS (e.g., via onerror if not properly stripped or via javascript: protocols).

4. Nonce Acquisition Strategy

To update the profile, a Subscriber needs to interact with the ProfilePress "My Account" page.

1. Shortcode Page: Create a page with the [profilepress-my-account] shortcode.
2. Navigation: Use browser_navigate to visit the page as the Subscriber.
3. Extraction:
   • The "Edit Profile" form typically contains a _wpnonce field.
   • Alternatively, ProfilePress often localizes script data. Check for ppress_frontend_script or similar variables.
   • Target Variable: window.ppressFrontendConfig?.nonce or a hidden input named _wpnonce inside the form with ID ppress-edit-profile-form.

5. Exploitation Strategy

1. Setup Subscriber: Create a Subscriber-level user.
2. Setup My Account: Create a page with the shortcode [profilepress-my-account].
3. Capture Nonce: Navigate to the My Account page as Subscriber and extract the _wpnonce from the Account Details/Edit Profile form.
4. Inject Payload: Send a POST request to update the profile.
   • Action: pp_edit_profile_action (Inferred from common ProfilePress profile update handlers).
   • Target Parameter: first_name or billing_first_name.
   • Payload: `