Register Plus For WordPress Cross Site Scripting / Path Disclosure

`Hello Bugtraq!  
  
I want to warn you about Cross-Site Scripting, Insufficient Anti-automation  
and Full path disclosure vulnerabilities in plugin Register Plus for  
WordPress.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are versions of plugin Register Plus 3.5.1 and previous versions.  
Also for Insufficient Anti-automation are vulnerable WordPress 3.0.1 and  
previous versions.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
POST request at page http://site/wp-login.php?action=register  
  
"><script>alert(document.cookie)</script>  
In fields: First Name, Last Name, Website, AIM, Yahoo IM, Jabber / Google  
Talk, Password, Confirm Password.  
  
</textarea><script>alert(document.cookie)</script>  
In field: About Yourself.  
  
Insufficient Anti-automation (WASC-21):  
  
http://site/wp-login.php?action=register  
  
In registration form there is no protection from automated requests  
(captcha). There is such vulnerability also in WordPress itself.  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/plugins/register-plus/dash_widget.php  
  
http://site/wp-content/plugins/register-plus/register-plus.php  
  
------------  
Timeline:  
------------  
  
2010.09.17 - announced at my site.  
2010.09.18 - informed developer.  
2010.11.24 - disclosed at my site.  
  
Taking into account, that this plugin is no more supported by developer,  
then users of the plugin need to fix these holes by themselves.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/4539/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`