Slideshow Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'randomId', 'slides', and 'settings' parameters upon submission to the views/SlideshowPlugin/slideshow.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been committed to the SVN repository that addresses this vulnerability. Until it is incorporated into the next release of the software, manually patching an existing installation is the only known available solution. Check the vendor advisory or solution URL in the references section.

• Secunia Advisory ID: 51135
• ISS X-Force ID: 79448 79711
• Related OSVDB ID: 86782
• Vendor Specific News/Changelog Entry: http://plugins.trac.wordpress.org/browser/slideshow-jquery-image-gallery/trunk
• Vendor Specific Solution URL: http://plugins.trac.wordpress.org/browser/slideshow-jquery-image-gallery/trunk/views/SlideshowPlugin/slideshow.php
• Vendor URL: http://wordpress.org/extend/plugins/slideshow-jquery-image-gallery/ [ Link is 404 ]
• Other Advisory URL: http://www.waraxe.us/content-92.html

• Janek Vind "waraxe" - waraxe

NVD does not currently have a CVSSv2 score assigned.