CVE-2011-5264 – Lazyest Backup < 0.2.2 - Reflected Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-5264

Cross-site scripting (XSS) vulnerability in lazyest-backup.php in the Lazyest Backup plugin before 0.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xml_or_all parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en lazyest-backup.php en el Lazyest Backup plugin anterior a v0.2.2 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro xml_or_all. The Lazyest Backup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'xml_or_all' parameter found in the lazyest-backup.php file in versions up to 0.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • http://plugins.trac.wordpress.org/changeset?reponame=&new=470737%40lazyest-backup&old=468541%40lazyest-backup http://secunia.com/advisories/47092 http://wordpress.org/extend/plugins/lazyest-backup/changelog http://www.osvdb.org/77493 http://www.securityfocus.com/bid/50900 https://exchange.xforce.ibmcloud.com/vulnerabilities/71650 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •