Description The plugin does not properly sanitize and escape the ‘icon’ shortcode, leading to a potential Stored Cross-Site Scripting vulnerability. As a result, users with contributor-level permissions and above can inject arbitrary web scripts into pages.