The plugin does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability.
Proof of Concept
- Log on to the site using a subscriber account.
- On the page the shortcode is rendered, click on "Why not add your own race result?"
- In the "Event Name" field, enter "><img src=x onerror=alert(1)// >, and fill in & submit the rest of the form.
- As an administrator, visit /wp-admin/admin.php?page=wp-athletics-manage-results