During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress YITH Maintenance Mode plugin, the version of the affected plugin: < 1.3.8
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by Vlad Visse (Patchstack) in WordPress YITH Maintenance Mode plugin (versions <= 1.3.8). Additionally, there are 46 additional parameters fixed that were missed by updating from vulnerable version 1.3.7 to 1.3.8 reported by Asif Nawaz Minhas (Patchstack Red Team).
PATCHSTACK link: https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-8-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities
NIST CVSS SCORE: 4.8
Plugin has more than 7,000+ active installations.