The plugin did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the ‘All Sheets’ page in the admin dashboard
As admin, add a new Sheet and add the following payload in the “Title”, “Details” and “Task” fields: The XSS will be trigger whenever an admin goes to the All Sheets page.