Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
There are two fields affected by a stored XSS vulnerability.
First:
1. Add new serial code
2. On the multiline field "Codes to store on the server" enter the payload: <td></td><script>alert(1)</script><td></td>
3. Press "Store codes"
4. Go back to the https://example.com/wp-admin/admin.php?page=sngmbh-serialcodes-validator and see the XSS happening.
Second:
1. Add new code list category
2. On the multiline field "Name" enter the payload: <td></td><script>alert(2)</script><td></td>
3. Go back to the plugin settings and see the XSS.