The plugin does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/options-general.php?page=updraftplus&backup_timestamp=%3Cscript%3Ealert%28/XSS/%29%3B%3C%2Fscript%3E&action=updraft_restore
Krzysztof Zając
Krzysztof Zając
Yes
2021-12-06 (about 1 years ago)
2021-12-06 (about 1 years ago)
2022-04-11 (about 9 months ago)