The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Navigate to New Form » go to the Settings of the Button and add the payload into the "Text" section: ><img src=x onerror=alert(/XSS/)> 2. You will observe that the payload successfully got stored in the database, and when you are triggering the same functionality in the time JavaScript payload is executing successfully, and we are getting a pop-up.
Vaibhav Koli
Vaibhav Koli
Yes
2022-11-16 (about 6 months ago)
2022-11-16 (about 6 months ago)
2022-11-16 (about 6 months ago)