Description The plugin does not adequately sanitize and escape the ‘vivafbcomment’ shortcode. This lack of proper input sanitization and output escaping allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute whenever a user visits an injected page.