Description The plugin does not sanitise and escape the srcdoc parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, however given that the malicious JS is limited to the scope of the iframe, there is no practical way to make users (such as admin) perform unwanted actions
CPE | Name | Operator | Version |
---|---|---|---|
eq | 4.9 |