WordPress Pretty Link Lite Plugin SQL Injection And XSS Vulnerabilities

Summary
This host is running WordPress with Pretty Link Lite plugin and is prone to sql injection and cross site scripting vulnerabilities.
Impact
Successful exploitation will allow remote attackers to cause SQL Injection attack and gain sensitive information or insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application
Solution
Upgrade to Pretty Link Lite Plugin version 1.5.4 or later, For updates refer to http://wordpress.org/extend/plugins/pretty-link/
Insight
The flaws are due to improper validation of user-supplied input to, - 'url' parameter to pretty-bar.php script and 'k' parameter to rli-bookmarklet.php script. - 'page' parameter to '/wp-admin/admin.php', which allows attacker to manipulate SQL queries by injecting arbitrary SQL code.
Affected
WordPress Pretty Link Lite Plugin version 1.5.2 and prior
References