CVE-2015-1582

Name of the Vulnerable Software and Affected Versions Spider Facebook plugin versions prior to 1.0.11

Description The issue allows remote attackers to inject arbitrary web script or HTML via certain parameters. Specifically, the appid parameter in a registration task to the default URI is vulnerable. Additionally, remote administrators can inject arbitrary web script or HTML via the asc or desc, order by, page number, serch or not, or search events by title parameters in various actions, including the Spider Facebook manage page to wp-admin/admin.php or the selectpagesforfacebook or selectpostsforfacebook action to wp-admin/admin-ajax.php.

Recommendations For versions prior to 1.0.11, update to version 1.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters, such as appid, asc or desc, order by, page number, serch or not, and search events by title, until a patch is applied. Avoid using these parameters in the affected API endpoints until the issue is resolved.