Nicole Sheinin

**Name of the Vulnerable Software and Affected Versions** Permalink Manager Lite plugin for WordPress versions up to, and including 2.2.20.3 **Description** The issue arises from improper output escaping on post/page/media titles, allowing Stored Cross-Site Scripting attacks. This enables attackers to inject arbitrary web scripts on the permalink-manager page, provided another plugin or theme is installed that grants lower privileged users the ability to modify post/page titles with malicious web scripts. **Recommendations** For Permalink Manager Lite plugin for WordPress versions up to, and including 2.2.20.3, update to a version higher than 2.2.20.3 to resolve the issue. As a temporary workaround, consider restricting the ability for lower privileged users to modify post/page titles or disabling the `unfiltered html` capability for these users until a patch is available.