The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following payload in the "Provide your IP-API Pro key", "Memcached Server Host", "Set the realtime script refresh inverval" or "Memcached Server Port" settings and save: "autofocus onfocus=alert(/XSS/)// (Note: for settings expecting an integer, change the type=number to type=text with the browser inspector to be able to put the payload)
Mika
Mika
Yes
2022-08-22 (about 1 years ago)
2022-08-22 (about 1 years ago)
2023-05-11 (about 4 months ago)