Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
">![](x)
2) Save the payload, and notice the injection alert() box popping up when viewing the full list of tables in /wp-admin/admin.php?page=pyt-tables&tab;=tables