The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Go to Meow Apps » AI Engine » Chatbot tab » Visual Settings and put the following payload in the "Start Sentence" or "Compliance Text": <img src=x onerror=alert(/XSS/)>.
Felipe Restrepo Rodriguez
Felipe Restrepo Rodriguez
Yes
2023-05-30 (about 3 months ago)
2023-05-30 (about 3 months ago)
2023-05-30 (about 3 months ago)