09 Jun

Authenticated Persistent Cross-Site Scripting (XSS) in WP Posts Carousel

Recently we found that the plugin WP Posts Carousel has an authenticated persistent cross-site scripting (XSS) vulnerability due to a lack of sanitation or escaping when shortcode attributes are output in Javascript code generated by the plugin. For example, the “dots_speed attribute is added to the output with the following line in the file /carousel-generator.class.php: 456 dotsSpeed: [Read more]