The Dynamic Widgets WordPress plugin up to and including 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
bootstrapped dynamic widgets |