Description The plugin doesn’t prevent attackers with administrator privileges from inserting malicious JavaScript inside a post’s header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.
- As a user with Author+ capabilities, create a new post draft
- Save it, then edit it using the PageLayer page builder
- Navigate to the "Advanced" tab, and then the " Header, Body and Footer" section
- Enter `</textarea><script>alert(1);</script>` in the Header, Body and Footer code text areas, and save.
- Preview the resulting post should make the alert prompts go off.