The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e= The XSS will trigger when editing the affected Button
2021-10-18 (about 1 years ago)
2021-10-18 (about 1 years ago)
2022-04-14 (about 1 years ago)