Today I will tell you about another Cross-site scripting that I discovered inside “Pinterest Badge” plugin version 1.8.0.
The security fault is found in the “uid” parameter in the”/wp-content/plugins/pinterest-badge/pinterestbadgedetails. php” file which, as can be seen in the following capture, lacks the necessary mechanisms to prevent code injection.
The malicious code runs without problems.
This screenshot shows the code inside the HTML body.
- Publication in Packetstormsecurity: