Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PoC
- Create a new popup via /wp-admin/admin.php?page=ays-pb&action;=add 2) Set its “Custom content” and “Popup description” fields to the following: 3) Save, and notice the alert box appearing when re-editing the popup, and visiting the website.