CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its “License ID” settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

PoC

Put the following payloads in the “License ID” setting of the plugin and save: ">