Slideshow Plugin for WordPress 'settings.php' Multiple Parameter XSS

This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server hosts a PHP script that is affected by multiple
cross-site scripting vulnerabilities.

Description :

The version of Slideshow Plugin for WordPress installed on the remote
host fails to properly sanitize user-supplied input to the 'settings'
and 'inputFields' parameters of the 'settings.php' script before using
them to generate dynamic HTML output. An attacker can leverage these
issues to inject arbitrary HTML and script code into a user's browser
to be executed within the security context of the affected site.
Successful exploitation of these vulnerabilities requires that PHP's
'register_globals' setting is set to 'on'.

Note that the install is also reportedly affected by an additional
cross-site scripting issue as well as multiple path disclosure
however, Nessus has not tested for these issues.

See also :

Solution :

Upgrade to version 2.1.13 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 4.1
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 63302 ()

Bugtraq ID: 56090