The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Logged in the backend of Wordpress as Administrator
1. Installed the plugin named: Social Rocket – Social Sharing Plugin
2. Activated the plugin.
3. On the left colum click now on Social Rocket > Floating Buttons.
4. Click now on Activate Networks and select Twitter as a social icon.
5. Hover now over the button Advanced, for this social button.
6. In the button Text use the following payload:
"><svg onload=alert(/XSSTEST/)>
7. Then Click on Done
8. Now click on the far right button Save.
9. And you will see the stored XSS vulnerability popping up.