Raul

**Name of the Vulnerable Software and Affected Versions** WPCargo Track & Trace WordPress plugin versions prior to 6.9.5 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks, even when unfiltered html is disallowed, due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 6.9.5, update to version 6.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WPCargo Track & Trace WordPress plugin versions prior to 6.9.5 **Description** The issue concerns a reflected Cross-Site Scripting attack. Attackers could exploit this by manipulating the `wpcargo tracking number` parameter, which is not properly sanitized and escaped before being outputted back on the page. This could allow attackers to perform reflected Cross-Site Scripting attacks. **Recommendations** For versions prior to 6.9.5, update to version 6.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `wpcargo tracking number` parameter to minimize the risk of exploitation.