CVE-2013-3720 – Feedweb < 1.9 - Authenticated (Admin+) Stored Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2013-3720

Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter. Vulnerabilidad de ejecuciónd de secuencias de comandos en sitios cruzados (XSS) en widget_remove.php en el complemento Feedweb anterior a v1.9 para WordPress permite a administradores autenticados a inyectar secuencias de comandos Web o HTML a través del parámetro wp_post_id. The Feedweb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_post_id' parameter in versions up to 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • http://plugins.trac.wordpress.org/changeset?old_path=%2Ffeedweb&old=689612&new_path=%2Ffeedweb&new=689612 http://secunia.com/advisories/52855 http://wordpress.org/extend/plugins/feedweb/changelog http://www.darksecurity.de/advisories/2013/SSCHADV2013-004.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •