A vulnerability in the wp-content/plugins/pretty-link/includes/version-2-kvasir/open-flash-chart.swf
file of the WordPress Pretty Link Lite plug-in versions prior to 1.6.3 could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.
The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to visit a malicious URL that could submit a crafted get-data
GET parameter to the vulnerable file. When the user visits the URL, the attacker could execute arbitrary HTML and script code in the user's browser session in the context of the affected site. This could allow the attacker to access sensitive browser-based information, such as cookie-based authentication credentials or recently submitted data.
Proof-of-concept code that exploits this vulnerability is publicly available.
Users should verify that unsolicited links are safe to follow.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
WordPress has released a changelog at the following link: CVE-2013-1636
. WordPress has released updated software at the following link: Pretty Link Lite 1.6.3 or later