Video Lessons Manager - Admin+ Stored Cross-Site Scripting
The plugins do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks
Proof of Concept
* Open the CM Video Lesson Plugin's Settings page.
* Click on Label Tab
* Enter payload like [ "><script>alert(1)</script> [ into the "channel" or "channels" fields.
* Save and the payload will execute on future visits to the Settings page.