The plugin was vulnerable to Stored Cross-Site Scripting (XSS) in the "hotjar script" textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users.
Proof of Concept
Step 1: Install and activate the plugin "Hotjar Connecticator" Step 2: Now enter the following script on the "Hotjar script" text field. abc</textarea><script>alert(xss)</script> Step 3: Now we can see the script is stored and executed all the when we visit the website.
No known fix - plugin closed
2021-05-04 (about 4 months ago)
2021-05-06 (about 4 months ago)
2021-05-07 (about 4 months ago)