Description The plugin is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init. This makes it possible for unauthenticated attackers to update the plugin’s settings which can be used to inject Cross-Site Scripting payloads and delete entire directories.
CPE | Name | Operator | Version |
---|---|---|---|
eq | 5.7.10 |