|
Description
|
|
Two vulnerabilities have been discovered in the Count per Day plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks.
1) Input passed via the "daytoshow" POST parameter to wp-content/wp-admin/index.php (when "page" is set to "cpd_metaboxes") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
2) Input passed via the "Referer" HTTP header to index.php is not properly sanitised before being used. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in the context of an affected site if malicious data is viewed.
The vulnerabilities are confirmed in version 3.2.5. Other versions may also be affected.
|
