Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
When creating a new widget, insert the following payload in the “FaceBook URL” field - 40"asdasd=‘’;"