The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
In Page/Post Access tab, Use XSS Payload as "><script>alert('XSS')</script> in any of the pages available. XSS will be triggered at the plugin's admin panel.
Niraj Mahajan
Niraj Mahajan
Yes
2022-04-01 (about 3 months ago)
2022-04-01 (about 3 months ago)
2022-04-09 (about 2 months ago)