Site Reviews < 6.7.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PoC

1. Login as Admin. 2. Go to http://vulnerable-site.tld/wp-admin/edit.php?post_type=site-review&amp;page;=glsr-settings&amp;tab;=general 3. Make some changes in the schema tab and intercept the request. 4. The form will have the parameter site_reviews_v6[settings][general][notification_message] 5. Insert the following payload in it **A new {review_rating}-star review has been submitted:** {review_title} {review_content} {review_author} <{review_email}> - {review_ip} {review_link} 6. Hit send and the xss payload will be saved and will be triggered whenever the settings page is open.