The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a Comment Fields (Comments > Comment Fields) and put the following payload in the Error Message setting: "autofocus onfocus=alert(/XSS/)// The XSS will be triggered in any post
Rafshanzani Suhada
Rafshanzani Suhada
Yes
2022-07-14 (about 6 months ago)
2022-07-14 (about 6 months ago)
2022-07-14 (about 6 months ago)