The plugin does not sanitise and escape some parameters available to high privilege users such as admin which could allow them to perform Cross-Site Scripting attacks woven when the unfiltered_html capability is disallowed
CPE | Name | Operator | Version |
---|---|---|---|
ultimate-reviews | lt | 3.0.16 |