From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: Floating Contact Button < 2.8 2. Vulnerability Type: Admin+ Stored XSS 3. Description: The plugin does not sanitize or escape certain settings, allowing high-privilege users (such as administrators) to execute cross-site scripting attacks even when is disabled. 4. Proof of Concept: - Navigate to the "Floating Contact" section in WP Admin. - In the "Insert here your shortcode" field, enter the following payload: - Click the adjacent "jQuery" button. - Click "Save Settings" to apply changes. - Confirm that XSS is triggered on the homepage screen. 5. Affected Plugin: floating-contact 6. Fix Status: Fixed in version 2.8. 7. References: - CVE: None - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 8. Additional Information: - Submitter: Kientt - Verified: Yes - WPVDB ID: b584a225-0d91-464d-b1c1-15594274d9d4 - Publication Date: 2024-08-20 - Added Date: 2024-08-20 - Last Updated Date: 2024-08-20 - Related Vulnerabilities: - Elementor Addon Elements < 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget - Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.25 - Reflected XSS - WP-Ban < 1.69.1 - Admin+ Stored XSS - Checklist < 1.1.9 - Unauthenticated Reflected XSS - Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor < 3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting This information provides a detailed description of the vulnerability, steps to exploit it, affected plugins, and the fix status.