The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
1. Go to the plugin settings and insert all the settings, then save. 2. Insert the following shortcode in a post/page: [wpic speed=‘“”}); alert(1); jQuery({“temp”:true’]
CPE | Name | Operator | Version |
---|---|---|---|
wp-image-carousel | eq | * |