The plugin does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues
Step 1: Install the plugin "Easy Preloader" Step 2: Enter the payload below in the text field "Choose overlay color" (or any other text fields) in the plugin's settings (wp-admin/options-general.php?page=ep-options) "><script>alert(/XSS/)</script> Step 3: The script will be stored and executed all the times when going to the plugin settings.
Kishore Hariram
Kishore Hariram
Yes
2021-05-24 (about 1 years ago)
2021-05-24 (about 1 years ago)
2021-08-10 (about 10 months ago)