The plugin does not sanitize and the email field in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts in the plugin settings page, which could target high privilege users such as administrators.
CPE | Name | Operator | Version |
---|---|---|---|
event-registration-calendar-by-vcita | lt | 1.4.0 | |
paypal-payment-button-by-vcita | lt | 3.10.0 |