$_REQUEST['settings'] are not escaped.
So we can create
$field['id'] which will be displayed without
Similar issue exists also inside
Proof of Concept:
XSS visible for all logged users.
Because datas are base64 encoded and serialized Google Chrome XSS Auditor is bypassed.
- 02-12-2015: Discovered
- 02-12-2015: Vendor notified
- 10-02-2016: Version 2.6.0 released, issue resolved