The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to plugin settings under “WPBot Lite > Simple Text Responses” 2. Enter the payload Test Query" onmouseover="alert(1)"
for the Query, Keyword, and/or Intent fields. 3. Save settings and move your mouse over the fields to see the XSS.