Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.
June 28th, 2021 - Details sent to vendor
July 9th, 2021 - Escalated to WP due to lack of response from vendor
July 27th, 2021 - No update, disclosing
August 9th, 2021 - v1.3.22 released, fixing the issue