The plugin does not have CSRF check when adding a Preset, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads in a Preset created via a CSRF attack
CPE | Name | Operator | Version |
---|---|---|---|
shortcodes-ultimate | lt | 5.12.1 |