Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
1. Ensure Contact Form 7 is installed, along with this plugin
2. Visit Contact > Ultimate Addons, ensure "Database" is checked, and click Save.
3. Visit Contact > Ultimate DB, select a form, and Submit.
4. In the URL, append the following payload, and see the alert upon loading the new page: &s=%3Cimg%20src=x%20onerror=alert(/XSS/)%3E