A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin 1.4.4 for WordPress. Once the administrator has submitted the crafted data, the script stored is executed for all the users visiting the public posts.
March 27th, 2020 - Report received. v1.4.5 released on March 11th, 2020 attempted to fix the issue, however the fix is not sufficient (done only client side). Furthermore, payloads with events still works. Emailed the researcher back, who then contacted the authors about it.
April 7th, 2020 - Authors replied to researcher that they "will make further improvements on this."
April 22nd, 2020 - Asked for updates to researcher
April 28th 2020 - No update from authors via researcher, escalated to WP Plugin team.
May 1st, 2020 - Plugin closed for review