According to an advisory released by Packetstorm, a fellow by the name of g30rg3_x has discovered two bugs within Dean’s Permalinks Migration Plugin version 1.0. The first bug relates to XSRF and can allow an attacker to force a user to perform an unsolicited action that when combined with an XSS bug that has also been discovered, allows the attacker to gain valid credentials.
g30rg3_x actually provides a detailed explanation into the problem:
Since the variable $dean_pm_config[‘oldstructure’] its not correctly sanitized (when retrieving), this allow any user to store/save “malicious code” inside the database and later be injected this “malicious code” when the data is retrieved. Using the XSRF as a “combo” we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS.
g30rg3_x has tried to contact the author of the plugin but has not had any success in doing so. Instead, he has taken on the liberty of releasing his own special sub-version for the plugin which contains the necessary fixes. The plugin is called 1.1-gx and uses some of the WordPress coding standards that are suggested by WordPress developers. You can download a fixed version of this plugin by clicking here.