The plugin does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
Via the plugin’s settings: - Enable the ‘Coming Soon Mode’ - Put the following payload in the Description field Then access the frontend as a user to trigger the XSS
CPE | Name | Operator | Version |
---|---|---|---|
coming-soon-wp | lt | 1.6.7 |