The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
[store_locator_show location="'); alert(1); wpmsl_update_map('"]
Lana Codes
Lana Codes
Yes
2023-05-12 (about 4 months ago)
2023-05-12 (about 4 months ago)
2023-09-15 (about 19 days ago)