Information from Vektor,Inc.

In situations where a WordPress site with the VK All in One Expansion Unit plugin (available on WordPress.org) is activated and managed by multiple users with administrator privileges, there exists a risk of stored XSS attacks. A malicious administrator could go to the admin settings page, navigate to “ExUnit” → “Ad Alert” → “Custom Alert Content,” and embed arbitrary JavaScript within an iframe tag. By saving these settings and publishing the content, this could lead to the script executing on the web browsers of users who view the page, allowing for potential attacks such as cookie theft or session ID hijacking.

In response to the above report, version 9.100.1.0 of the VK All in One Expansion Unit has been updated to remove any iframe tags entered in the “ExUnit” → “Ad Alert” → “Custom Alert Content” section.

https://github.com/vektor-inc/vk-all-in-one-expansion-unit/pull/1121
However, it remains possible for users with lower permissions, such as editors or authors, to place similar code in the WordPress admin panel using the standard custom HTML block. This vulnerability is possible regardless of whether the VK All in One Expansion Unit plugin is being used.