Pray For Me <= 1.0.4 - Unauthenticated Stored XSS

Description The plugin does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin

PoC

1. Configure the plugin to add the first name and last name fields to the form: https://example.com/wp-admin/admin.php?page=caruso_prayer_plugin_settings 2. Add the [prayer_form] shortcode to a post or page 3. As a unauthenticated user, fill out the form and enter "> in the “first name” and “last name” fields 4. As an admin, go to: https://example.com/wp-admin/admin.php?page=caruso_prayer_plugin to see the XSS