Description The plugin doesn’t prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post’s header or footer code.
- As a user with Author+ capabilities, create a new post draft
- Save it, then edit it using the PageLayer page builder
- Navigate to the "Advanced" tab, and then the " Header, Body and Footer" section
- Enter `</textarea><script>alert(1);</script>` in the Header, Body and Footer code text areas, and save.
- Preview the resulting post should make the alert prompts go off.