The plugin does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
As a contributor, create a new Baby item and put the following payload in any of the settings (such as Birth Date, Time of Birth etc): "> The XSS will be triggered when editing the post, as well as when viewing/previewing it
CPE | Name | Operator | Version |
---|---|---|---|
wp-born-babies | eq | * |