Digital Publications by Supsystic < 1.7.4 - Admin+ Stored Cross-Site Scripting

An attacker with admin-level privileges can inject arbitrary JavaScript into the plugin's settings fields. Because the plugin does not sanitize or escape these settings [ref_id=1], the injected script is stored and executed when any user (including other administrators) visits the settings page. This allows stored cross-site scripting even when the WordPress `unfiltered_html` capability is disallowed [ref_id=1].

The advisory does not specify the exact file or function name within the Digital Publications by Supsystic plugin that is vulnerable. The plugin's settings page is the affected code path, as the plugin fails to sanitize and escape its settings before output [ref_id=1].

The advisory states the vulnerability is fixed in version 1.7.4 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper sanitization and escaping of the plugin's settings before they are output, preventing stored XSS injection by high-privilege users.