The plugin does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Create/edit a table, go to its settings, enabled the Signature (in Main Settings tab) and put the following payload in the Signature Text textarea: The XSS will be triggered in a page/post where the table is embed
CPE | Name | Operator | Version |
---|---|---|---|
data-tables-generator-by-supsystic | lt | 1.10.20 |