Sync iCloud COS < 2.0.1 - Admin+ Stored Cross-Site Scripting

An attacker with admin-level privileges can inject arbitrary JavaScript into plugin settings that are not properly escaped [ref_id=1]. When other users (including other admins) view the affected settings page, the injected script executes in their browser. This is a stored Cross-Site Scripting (XSS) attack [CWE-79] that bypasses the unfiltered_html capability restriction, meaning the attack works even when WordPress normally prevents administrators from inserting arbitrary HTML/JavaScript [ref_id=1].

The Sync QCloud COS WordPress plugin (versions before 2.0.1) does not escape some of its settings [ref_id=1]. The advisory does not specify the exact file paths or function names responsible for the missing escaping.

The advisory states the vulnerability is fixed in version 2.0.1 of the Sync QCloud COS plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly escaping the plugin's settings output using WordPress escaping functions (e.g., esc_html() or wp_kses()) to prevent stored XSS. The advisory does not include a patch or further technical details about the remediation.