The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The VI: Include Post By WordPress plugin versions up to 0.4.200706 contains a Stored XSS vulnerability in the 'class_container' attribute of the 'include-post-by-cat' shortcode due to insufficient input sanitization. Authenticated contributors and above can inject malicious scripts that execute when users access affected pages.
تحتوي إضافة VI: Include Post By على ثغرة XSS مخزنة في سمة 'class_container' للاختصار 'include-post-by-cat' بسبب عدم كفاية تنظيف المدخلات والتحقق من المخرجات. يمكن للمستخدمين المصرحين على مستوى المساهم وما فوقه حقن نصوص برمجية ضارة تُنفذ عند وصول المستخدمين إلى الصفحات المتأثرة.
The VI: Include Post By WordPress plugin versions up to 0.4.200706 contains a Stored XSS vulnerability in the 'class_container' attribute of the 'include-post-by-cat' shortcode due to insufficient input sanitization. Authenticated contributors and above can inject malicious scripts that execute when users access affected pages.
Update the VI: Include Post By plugin to version 0.4.200707 or later immediately. If immediate patching is not possible, restrict contributor-level access to trusted users only and implement Web Application Firewall rules to detect and block XSS payloads in shortcode attributes.
قم بتحديث إضافة VI: Include Post By إلى الإصدار 0.4.200707 أو أحدث على الفور. إذا لم يكن التحديث الفوري ممكناً، قيّد وصول مستوى المساهم للمستخدمين الموثوقين فقط وطبّق قواعد جدار حماية تطبيقات الويب للكشف عن حقن XSS ومنعها.