During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress YITH Maintenance Mode plugin, the version of the affected plugin: < 1.3.8


The plugin does not sanitise and escape some of its settings, which could 
allow high privilege users such as admin to perform Cross-Site Scripting 
attacks even when unfiltered_html is disallowed


Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities 
discovered by Vlad Visse (Patchstack) in WordPress YITH Maintenance 
Mode plugin (versions <= 1.3.8). Additionally, there are 46 
additional parameters fixed that were missed by updating from 
vulnerable version 1.3.7 to 1.3.8 reported 
by Asif Nawaz Minhas (Patchstack Red Team).

Additional information

PATCHSTACK link: https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-8-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities


NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2021-36845

Plugin has more than 7,000+ active installations.