The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
In Page/Post Access tab, Use XSS Payload as "> in any of the pages available. XSS will be triggered at the plugin’s admin panel.
CPE | Name | Operator | Version |
---|---|---|---|
page-and-post-restriction | lt | 1.2.7 |