This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)
The plugin is designed to generate forms of registration and authorization, which transmit data TradeSmarter trading platform. Forms are generated by a simple shortcode.
a_aid parameter on a page that has a form allows for reflected XSS
412: echo '<iframe src="'.$protocol.'://trading.vospari.com/ru?a_aid='.$_GET['a_aid'].'" style="display:none;" width="0" height="0"></iframe>';
alert(1) but could be used to run something more malicious
Upgrade to version 1.4
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.