Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Put the following payload in the “Class ID to be Added (for PC)” setting of the plugin (/wp-admin/options-general.php?page=pz-linkcard-settings > Advanced): " onmouseover=alert(/XSS/)// Then open page/post containing a blogcard shortcode (such as [blogcard url=“aaa”]) and move the mouse over the generated card to trigger the XSS