Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Go to the Marker Categories settings of the plugin (/wp-admin/admin.php?page=ultimate-maps-supsystic&tab;=marker_groups), add/edit a category and put the following payload as a title: text"autofocus/onfocus=alert(1)// The XSS will be triggered when editing the related category again