The plugin has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue
curl -X POST 'https://example.com/wp-json/plz/v2/configuration/update-tracker?switchstatus="><svg/onload=alert(`XSS`)>'
Brandon James Roldan
Brandon James Roldan
Yes
2022-03-07 (about 1 years ago)
2022-03-07 (about 1 years ago)
2022-04-08 (about 1 years ago)