The plugin does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Put the following payload in any of the field in the 'Basic Settings' section of the plugin's setting (/wp-admin/admin.php?page=stb-settings): " autofocus onfocus=alert(/XSS/)//
Akash Rajendra Patil
Akash Rajendra Patil
Yes
2021-09-21 (about 10 months ago)
2021-09-21 (about 10 months ago)
2022-07-01 (about 1 months ago)