Recently we found that the plugin WP Posts Carousel has an authenticated persistent cross-site scripting (XSS) vulnerability due to a lack of sanitation or escaping when shortcode attributes are output in Javascript code generated by the plugin.

For example, the “dots_speed attribute is added to the output with the following line in the file /carousel-generator.class.php:


Powered by WPeMatico