Ionut Morosan

**Name of the Vulnerable Software and Affected Versions** WP Offload SES Lite WordPress plugin versions prior to 1.4.5 **Description** The issue arises from the failure to escape certain fields in the Activity page of the admin dashboard, such as the email's `id`, `subject`, and `recipient`. This oversight could lead to Stored Cross-Site Scripting issues when an attacker gains control over any of these fields, for example, by manipulating the `subject` field when filling out a contact form. The XSS will be executed in the context of a logged-in admin viewing the Activity tab of the plugin. **Recommendations** For versions prior to 1.4.5, update to version 1.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Activity tab of the plugin to minimize the risk of exploitation. Avoid using the vulnerable fields, such as `subject` and `recipient`, in the Activity page until the issue is resolved.