The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Put the following payload in the "Currency Symbol" settings of the plugin and save: "><svg/onload=prompt(/XSS/)>
Other settings are affected (such as Minimum Payout Amount, Email Name etc)
2022-08-16 (about 1 years ago)
2023-05-09 (about 4 months ago)