USM Premium < 16.3 - Admin+ Stored XSS

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

PoC

Put the payload in any text field of the “8 Do you want to show a subscription form (increases sign-ups)? » Text above the entry field » Text” settings and save: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when reaccessing the settings.