This host is installed with WordPress Facebook Promotion Generator Plugin and is prone to cross-site scripting vulnerability.

Successful exploitation will allow remote attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Impact Level: Application

No solution or patch is available as of 9th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to http://www.wordpress.org/plugins/fbpromotions

Input passed via the 'promo_type', 'fb_edit_action', and 'promo_id' parameters to admin/swarm-settings.php script is not properly sanitised before returning to the user.

WordPress Facebook Promotion Generator Plugin version 1.3.4 and prior.

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

• http://codevigilant.com/disclosure/wp-plugin-fbpromotions-a3-cross-site-scripting-xss
• http://www.osvdb.com/108650
• http://xforce.iss.net/xforce/xfdb/94372

---

Updated on 2015-03-25