The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks.
Put the following payload in the QR setting: "> The XSS will be triggered in the plugin’s setting page, as well as all frontend posts. via CSRF:
CPE | Name | Operator | Version |
---|---|---|---|
wechat-reward | eq | * |