The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
In Page/Post Access tab, Use XSS Payload as "><script>alert('XSS')</script> in any of the pages available. XSS will be triggered at the plugin's admin panel.
Niraj Mahajan
Niraj Mahajan
Yes
2022-04-01 (about 1 years ago)
2022-04-01 (about 1 years ago)
2022-04-09 (about 1 years ago)