FuneralPress plugin is prone to a persistent cross-site scripting vulnerabilities. These vulnerabilities allow attackers to host malicious Javascript on another site, enter a path to a local image
in <input type=“file” name=“photo” id=“wpfh_message_file”>, if Photo was selected. Also, attackers can submit the form with the following entered into <textareastyle=“width:100%;height:70px” name=“photo-message”></textarea>.
For some basics XSS protection, use . Or update the plugin.