The plugin allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized
/wp-admin/admin.php?page=settings-wisw&token;_error=
CPE | Name | Operator | Version |
---|---|---|---|
instagram-slider-widget | lt | 1.8.5 |