The plugin does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
https://example.com/wp-admin/edit.php?post_type=envira&page=envira-gallery-lite-addons&"><script>alert(1)</script>
ZhongFu Su(JrXnm) of WuHan University
ZhongFu Su(JrXnm) of WuHan University
Yes
2022-10-10 (about 11 months ago)
2022-10-10 (about 11 months ago)
2022-10-10 (about 11 months ago)