https://www.pluginvulnerabilities.com/2017/06/09/authenticated-persistent-cross-site-scripting-xss-in-wp-posts-carousel/

Recently we found that the plugin WP Posts Carousel has an authenticated persistent cross-site scripting (XSS) vulnerability due to a lack of sanitation or escaping when shortcode attributes are output in Javascript code generated by the plugin.

For example, the “dots_speed attribute is added to the output with the following line in the file /carousel-generator.class.php:

456

Share This