The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
Put the following payload in the "Before Label" or "After Label" settings of the plugin (Word Count > Reading Time)and save : "autofocus onfocus=alert(/XSS/)//
2022-10-06 (about 11 months ago)
2022-10-06 (about 11 months ago)
2023-04-18 (about 5 months ago)