Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Register a student account and go to the “Dashboard” plugin (https://example.com/dashboard/settings/) 2. Add the payload `` to either the “First Name” or “Last Name” fields. 3. Click on “Update Profile” and reload the page. 4. When you do that, you will see the XSS.