The plugin does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Put the following payload in any of the plugin's settings (such as Opacity): "><img src=x onerror=alert(/XSS/)>
2022-04-25 (about 1 years ago)
2022-04-25 (about 1 years ago)
2022-04-29 (about 1 years ago)