The plugin does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
CPE | Name | Operator | Version |
---|---|---|---|
woo-product-feed-pro | lt | 11.0.7 |