The plugin does not properly sanitize and escape the file name in it’s file uploads functionality before reflecting it back on the page, allowing an unauthenticated attacker to inject arbitrary web scripts via the filename of uploaded files.
CPE | Name | Operator | Version |
---|---|---|---|
wp-copysafe-web | lt | 3.14 |