The plugin does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)
As a contributor, add a custom field in a post (while in a post editor, open the Options panel > Preferences > Panels and enable the Custom Fields), such as test_xss with a value of <script>alert(/XSS/)</script> Then add the following shortcode to the post [field test_xss] and view/preview it to trigger the XSS
Francesco Carlucci
Francesco Carlucci
Yes
2022-02-02 (about 3 months ago)
2022-02-02 (about 3 months ago)
2022-04-09 (about 1 months ago)