CVE-2015-2218

Name of the Vulnerable Software and Affected Versions WonderPlugin Audio Player plugin version 2.0 and earlier

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the item[name] or item[customcss] parameter in a "wonderplugin audio save item" action to "/wp-admin/admin-ajax.php" or the itemid parameter in the "wonderplugin audio show item" or "wonderplugin audio edit item" page to "/wp-admin/admin.php".

Recommendations For WonderPlugin Audio Player plugin version 2.0 and earlier, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp ajax save item function in wonderpluginaudio.php until a patch is available. Avoid using the item[name] and item[customcss] parameters in the affected API endpoint and the itemid parameter in the vulnerable pages to minimize the risk of exploitation.