The plugin doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.
Put the following payload in the "Note title" and "Note message" settings of the plugin: "><script>alert(/XSS-Title/)</script> and </textarea><script>alert(/XSS-Msg/)</script> Then visit the Admin Dashboard homepage or the plugin's settings (/wp-admin/admin.php?page=Splash_Header_Display&tab=homepage) to trigger the XSS https://github.com/xiahao90/CVEproject/blob/main/wordpress_Splashheader_XSS.md
2021-07-29 (about 1 years ago)
2021-08-19 (about 1 years ago)
2022-04-09 (about 1 years ago)