The plugin does not escape a settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite)
Put the following payload in the "Zillow Business URL" settings of the plugin: "><img src onerror=alert(/XSS/)>
moresec
moresec
Yes
2022-05-30 (about 2 months ago)
2022-05-30 (about 2 months ago)
2022-05-30 (about 2 months ago)