WordPress · Display-Widgets · CVE-2015-9438
**Name of the Vulnerable Software and Affected Versions**
display-widgets plugin versions prior to 2.04
**Description**
The issue allows for XSS via the "wp-admin/admin-ajax.php?action=dw show widget" API endpoint, specifically through the `id base`, `widget number`, or `instance` parameters.
**Recommendations**
For versions prior to 2.04, update to version 2.04 or later to resolve the issue.