The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
[
{
"product": "Anti-Malware Security and Brute-Force Firewall",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.20.94",
"status": "affected",
"version": "4.20.94",
"versionType": "custom"
}
]
}
]