The plugin does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting
curl ‘https://example.com/wp-login.php’ --data-raw ‘log=a&pwd;=x&wp-submit;=Log+In’ The XSS will be trigged in the ‘All User’ section of the Login Log: https://example.com/wp-admin/users.php?page=crazy-bone%2Fplugin.php&user;_id=-1&status;