Hello 3APA3A!
These are vulnerabilities in Js-Multi-Hotel plugin for WordPress.
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
Joomlaskin
http://wordpress.org
Cross-Site Scripting (WASC-08):
Full path disclosure (WASC-13):
http://site/wp-content/plugins/js-multihotel/includes/timthumb.php?src=http://
I have disclosed it at my site (http://websecurity.com.ua/7082/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua