Register Plus Redux 3.6.1 Cross Site Scripting / Path Disclosure

`Hello Full-Disclosure!  
  
I want to warn you about Cross-Site Scripting, Insufficient Anti-automation  
and Full path disclosure vulnerabilities in plugin Register Plus Redux for  
WordPress. Register Plus Redux is a fork of plugin Register Plus.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are versions of plugin Register Plus Redux 3.6.1 and previous  
versions.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
POST request at page http://site/wp-login.php?action=register  
  
"><script>alert(document.cookie)</script>  
In fields: First Name, Last Name, Website, AIM, Yahoo IM, Jabber / Google  
Talk, Password, Confirm Password.  
  
</textarea><script>alert(document.cookie)</script>  
In field: About Yourself.  
  
Insufficient Anti-automation (WASC-21):  
  
http://site/wp-login.php?action=register  
  
In registration form there is no protection from automated requests  
(captcha).  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/plugins/register-plus-redux/dash_widget.php  
  
http://site/wp-content/plugins/register-plus-redux/register-plus-redux.php  
  
At POST request at page http://site/wp-login.php?action=register.  
  
------------  
Timeline:  
------------  
  
2010.09.18 - announced at my site.  
2010.09.19 - informed developer.  
2010.12.02 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/4542/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`