Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting

The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.

PoC

Steps to reproduce: 1) As a Contributor, go to portfolio on the dashboard and add new item. 2) on the editing page that comes up, scroll down to the slider section 3) Add the payload in the description area. “” 4) save and preview the item and watch the script trigger. 5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered