The plugin does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfiltered_html capability is disallowed.
Add an Entry (/wp-admin/admin.php?page=connections_add) and put the following payload in the Address Line fields: inval1d"> The XSS will be triggered when accessing Manage page (/wp-admin/admin.php?page=connections_manage)
CPE | Name | Operator | Version |
---|---|---|---|
connections | lt | 10.4.3 |