Better WordPress Google XML Sitemaps <= 1.4.1 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape its logs when outputting them in the admin dashboard, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins

Proof of Concept

With the permalinks settings set to plain, as an unauthenticated user, open http://example.com/?bwpsitemap=%3Cimg%20src%20onerror=alert(/XSS/)%3E



The XSS will be triggered in the log dashboard of the plugin https://example.com/wp-admin/admin.php?page=bwp_gxs_stats