The plugin does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting
(With at least one log displayed): https://example.com/wp-admin/admin.php?page=mycred&user=1"'><script>alert(/XSS/)</script>
Jeremie Amsellem
Jeremie Amsellem
Yes
2017-04-20 (about 5 years ago)
2021-11-24 (about 5 months ago)
2022-04-11 (about 1 months ago)