Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities found by Javier Olmedo in WordPress All In One Favicon plugin (versions <= 4.6).
This plugin was closed on July 13, 2018 and is no longer available for download. Deactivate and delete asap.