The plugin does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used
Put the following payload in the wechat_qrcode settings of the plugin: http://127.0.0.1/"onerror=alert(/XSS/)// and the XSS will be triggered in all frontend posts The following payload could also be used to only trigger in the plugin's settings page: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
Yes
2021-07-30 (about 1 years ago)
2021-08-19 (about 11 months ago)
2022-04-09 (about 4 months ago)