The plugin does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create a new Grid/Caroussel, in the General Settings, enable βDisplay Header Titleβ and put the following payload in the βHeader Titleβ field: The XSS will be triggered when viewing the Post Grid/Carousel in the post.
CPE | Name | Operator | Version |
---|---|---|---|
post-grid-carousel-ultimate | lt | 1.5.0 |