Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
1. Click on the “Add new” tab. 2. Select the “Menu” tab. 3. Enter the javascript payload in the “Link” field: javascript:alert(/XSS/); 4. Save it, visit the site, and click on the bubble menu.