Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Register a student account and go to the "Dashboard" plugin (https://example.com/dashboard/settings/)
2. Add the payload `<svg/onload=alert(origin)>` to either the "First Name" or "Last Name" fields.
3. Click on "Update Profile" and reload the page.
4. When you do that, you will see the XSS.