The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following payloads in Settings > Goolytics > Google Analytics ID field and save: "><svg/onload=prompt(/XSS/)>
Mika
Mika
Yes
2022-09-07 (about 1 years ago)
2022-09-07 (about 1 years ago)
2022-09-07 (about 1 years ago)