Name of the Vulnerable Software and Affected Versions:

Email Subscribers by Icegram Express WordPress plugin versions prior to 5.7.45

Description:

The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed, for example in a multisite setup. This is due to the plugin not sanitising and escaping some form settings.

Recommendations:

For versions prior to 5.7.45, update to version 5.7.45 or later to resolve the issue. As a temporary workaround, consider restricting the use of form settings that could be used to perform Stored Cross-Site Scripting attacks until a patch is available.