LJ Comments Import: Reloaded WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the LJ Comments Import: Reloaded plugin for WordPress, affecting all versions through 0.97.1. The issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts. This injected script could execute if a user is tricked into clicking a link. The vulnerability is specifically related to the PHP_SELF parameter, which can include attacker-controlled PATH_INFO, and there are two unsanitized output points for this value within the same function.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject scripts that are executed in the context of the user's browser.

Remediation

There is no known patch available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.