The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). As with all Reflected Cross-Site Scripting vulnerabilities, these could be leveraged for a complete site takeover as long as an unauthenticated attacker could successfully trick a site administrator into performing an action, such as clicking on a link or visiting a website under the attacker’s control.
All Wordfence customers, including those using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.
Source and more details: https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-scripting-vulnerabilities-in-three-wordpress-plugins-patched