The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Login as Admin. 2. Go to http://vulnerable-site.tld/wp-admin/edit.php?post_type=site-review&page;=glsr-settings&tab;=general 3. Make some changes in the schema
tab and intercept the request. 4. The form will have the parameter site_reviews_v6[settings][general][notification_message]
5. Insert the following payload in it **A new {review_rating}-star review has been submitted:** {review_title} {review_content} {review_author} <{review_email}> - {review_ip} {review_link}
6. Hit send and the xss payload will be saved and will be triggered whenever the settings page is open.