Cross-site scripting vulnerability in ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML, version 1.08


Last revised:

This plugin emits the referer, unsanitised, into javascript in its option page at line line 283 of wp-1pluginjquery.php.

If an attacker can trick an administrator into visiting a page of the attacker’s choice, the attacker could execute javascript in the context of the victim’s administrator session, allowing them to make requests as the administrator, steal nonce values or hijack the administrator account.

This attack may not be possible in some browsers which escape HTML in URLs.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

Version 1.09 has been released which fixes this vulnerability. Users running older versions should upgrade immediately.