The plugin doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following code in the Custom CSS settings of the plugin </style> <script> setTimeout("alert('1')",3000) </script> <style>
xiahao
xiahao
Yes
2021-07-29 (about 1 years ago)
2021-08-19 (about 11 months ago)
2022-04-09 (about 4 months ago)