The plugin is affected by a cross site scripting (XSS) vulnerability in the plugin’s setting page.
Enter the payload below for the “SMS Alert Username” in the plugin’s settings. “+onfocus=“alert(1)”+autofocus=” You will observe that the JavaScript payload successfully got reflected is and we are getting a pop-up.