Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Create a form and navigate to ‘Edit’ and ‘Settings.’ 3. Under the ‘On submit action,’ select the option to “Stay on the page and display a classic JavaScript alert box with a message.” 3. Enter the payload is provided: `alert(document.domain)
CPE | Name | Operator | Version |
---|---|---|---|
eq | 1.3.44 |