This effects version 0.1 of abc-test the hole is fixed in version 0.2 --------- Affected products: --------- Product : wordpress plugin abc-test Affected file: abctest_config.php ---- Details: ---- The file abctest_config.php does not sanitize the input from $_GET ['id'] effectively. This allows a user to launch a cross site scripting attack against this file. While the effectiveness of such an attack is somewhat limited by the wordpress platform adding \ to quotes, it still may be possible to inject cookie stealing objects (flash files for example). Example code: http://localhost/blog/wp-admin/admin.php?page=abctest&do=edit&id=%22%3E%3Ch1 %3EXSS%3C/h1 ------- Suggested fix: ------- Sanitize the $_GET super global. ---- Timeline: ---- 24-Sept-2012 Vendor and wordpress informed. 25-Sept-2012 Vendor confirmed the security issue and patched. 26-Sept-2012 Public release of the vulnerability, via the full disclosure and http://scott-herbert.com/blog/2012/09/26/xss-vulnerability-in-wordpress-plug in-abc-test-1107