The plugin does not sanitise or escape its βphp_idβ setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.
Put the following payload in the βphp_idβ field in the pluginβs settings (/wp-admin/options-general.php?page=phtmanager): ">
CPE | Name | Operator | Version |
---|---|---|---|
phonetrack-meu-site-manager | eq | * |