The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following payloads in Settings > Goolytics > Google Analytics ID field and save: ">
CPE | Name | Operator | Version |
---|---|---|---|
goolytics-simple-google-analytics | lt | 1.1.2 |