A member of the Plone site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page. References: https://nvd.nist.gov/vuln/detail/CVE-2017-1000482 https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property