The plugin does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
https://example.com/all-ads/?"><script>alert(/XSS/)</script> https://example.com/all-properties/?"><script>alert(/XSS/)</script>
Team ISH Tecnologia (Thiago Martins, Jorge Buzeti, Leandro Inacio, Lucas de Souza, Matheus Oliveira, Filipe Baptistella, Leonardo Paiva, Jose Thomaz, Joao Maciel, Vinicius Pereira, Geovanni Campos, Hudson Nowak, Guilherme Acerbi) and Islan Ferreira.
Geovanni Campos
Yes
2022-08-22 (about 1 years ago)
2022-08-22 (about 1 years ago)
2023-05-13 (about 4 months ago)