CVE-2022-0680

Name of the Vulnerable Software and Affected Versions Plezi WordPress plugin versions prior to 1.0.3

Description The issue allows unauthenticated users to update the plz configuration tracker enable option through a REST endpoint. This option is then displayed in the admin panel without proper sanitization and escaping, leading to a Stored Cross-Site Scripting issue.

Recommendations For versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST endpoint that updates the plz configuration tracker enable option until a patch is applied.