The plugin does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
https://example.com/wp-admin/admin.php?page=wpmm-add-theme&_wpnonce=">
CPE | Name | Operator | Version |
---|---|---|---|
ap-mega-menu | lt | 3.0.8 |