The plugin does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
In the plugin's settings, put the following values: - In "Step 1: Enter text/HTML to remove (one per line)" field: powered - In "Step 2: Enter your own footer credit (one per line)": ">--><img src onerror=alert(/XSS/)> The XSS will be triggered in all pages
apple502j
apple502j
Yes
2022-01-12 (about 1 years ago)
2022-01-11 (about 1 years ago)
2022-04-12 (about 9 months ago)