The plugin does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
[mlcalc schedule=“month’;alert(/XSS/)//”]
CPE | Name | Operator | Version |
---|---|---|---|
mortgage-loan-calculator | lt | 1.5.17 |