Nishida Azuka

**Name of the Vulnerable Software and Affected Versions** jQuery Hover Footnotes versions prior to 1.5 **Description** The plugin is subject to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing an action they did not intend to. This occurs due to missing or incorrect nonce validation in the `jqFootnotes options subpanel()` function. Unauthenticated attackers can update plugin settings with arbitrary values. Because the variables `jqfoot anchor open`, `jqfoot anchor close`, and `jqfoot title` are persisted via `update option()` without sanitization and rendered unescaped on the frontend, this can be chained into persistent Cross-Site Scripting (XSS), allowing the execution of malicious scripts for all site visitors. **Recommendations** Update to a version later than 1.4.

**Name of the Vulnerable Software and Affected Versions** jQuery Hover Footnotes versions prior to 1.5 **Description** The jQuery Hover Footnotes plugin for WordPress contains a Stored Cross-Site Scripting issue involving the Footnote Qualifier ('{{...}}' Syntax). Due to insufficient input sanitization and output escaping, authenticated attackers with author-level access or higher can inject arbitrary web scripts into pages. These scripts execute when a user visits the affected page. The attack uses an attribute-breakout payload, such as a double-quote followed by an event handler, which bypasses the `wp kses post()` function. This function only removes disallowed HTML tags and fails to sanitize attribute contexts because the payload does not contain angle brackets. **Recommendations** Update to a version later than 1.4.