During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: Float to Top Button <= 2.3.6


The plugin does not escape some of its settings, which could allow high privilege users 
such as admin to perform Stored Cross-Site Scripting attacks even 
when the unfiltered_html capability is disallowed (for example in multisite setup)


Put the following payload in the "Text for the button" or "URL of 
a custom "Top of Page" image" settings of the plugin and save: 

"autofocus onfocus=alert(/XSS/)//

The XSS will be triggered when accessing the settings page again 

Additional information

WPSCAN link: https://wpscan.com/vulnerability/1c551234-9c59-41a0-ab74-beea2d27df6b

Active installations N/A