The plugin does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
Put the following payload in any of the plugin’s settings (such as Font size, Font Color) and save: ">
CPE | Name | Operator | Version |
---|---|---|---|
easy-faq-with-expanding-text | eq | * |