The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Plugin settings > Style Settings > button border radius (or other field) put to input field: alert(‘XSS’);alert(‘XSS’);
CPE | Name | Operator | Version |
---|---|---|---|
login-with-phone-number | lt | 1.3.8 |