An AJAX action registered by the plugin did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages. Version 4.5.6 fixed the XSS issue with sanitization of the parameters, but did not fix the Subscriber+ options update. See additional related vulnerability patched in version 4.5.8.
Proof of Concept
Fixed in version 4.5.6✓
2021-04-03 (about 7 months ago)
2021-04-06 (about 7 months ago)
2021-04-07 (about 7 months ago)