CVE-2015-20019: 
WordPress vulnerability analysis and mitigation

The Content text slider on post WordPress plugin before version 6.9 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2015-20019. The vulnerability was discovered on December 7, 2015, by researcher ALIREZA_PROMIS. The issue affects the Title and Message/Content settings of the plugin, which fail to properly sanitize and escape user input (WPScan).

The vulnerability is located in the 'page' value parameter of the 'options-general.php' file. Remote attackers can inject malicious script code via POST method request to the 'Title' or 'Message/Content' input fields. The execution occurs in the 'All popups' module when processing the request manually. The vulnerability has been assigned a CVSS score of 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD, Bugtraq).

Successful exploitation of this vulnerability could allow attackers to perform persistent phishing attacks, session hijacking, persistent external redirects to malicious sources, and application-side manipulation of affected or connected module context. An attacker with moderator access could potentially steal admin cookies to compromise the WordPress application and connected DBMS (Bugtraq).

The vulnerability has been patched in version 6.9 of the Content text slider on post plugin. Users should upgrade to this version or later to protect against this security issue (WPScan).