Description
The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string.
Remediation
References
Related Vulnerabilities
WordPress Plugin WPFront Notification Bar Cross-Site Scripting (1.9.1.04012)
WordPress Plugin Hustle-Pop-Ups, Slide-ins and Email Opt-ins CSV Injection (6.0.7)
WordPress Plugin WatchTowerHQ Privilege Escalation (3.6.16)
WordPress Plugin Comment Highlighter SQL Injection (0.13)
Python Improper Encoding or Escaping of Output Vulnerability (CVE-2020-26116)