Description The plugin does not properly escape the add_custom_body_class parameter before outputting it to the page, allowing users with the role of contributor of higher to inject arbitrary web scripts potentially targeting higher privileged users.