The plugin does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue. Note: Vendor was notified on September 14th, 2021.
https://example.com/any-post/?a"><script>alert(/XSS/)</script>
Paul J. Martinez
Paul J. Martinez
Yes
2022-03-15 (about 3 months ago)
2022-03-15 (about 3 months ago)
2022-04-09 (about 2 months ago)