Recently we found that the plugin WP Posts Carousel has an authenticated persistent cross-site scripting (XSS) vulnerability due to a lack of sanitation or escaping when shortcode attributes are output in Javascript code generated by the plugin.
For example, the “dots_speed attribute is added to the output with the following line in the file /carousel-generator.class.php:
456