There are some vulnerabilities in Multiple Sidebars plugin, which is used by a lot of themes. I already notified Envato about this half a year ago, and they promised that they will take care of the issue, however, nothing happened.
A few days ago, I notified some authors about it, some of them already fixed it, some of them didn’t even reply.
Given that some changelogs already contain the note about the fix, I decided to publish it here, so every author who uses the plugin in their products can be notified about it.
The main problem is that it doesn’t verify the user roles, and there is some unfiltered output, which leads to a reflected XSS.
I won’t publish an exploit, but here is a fixed version if someone needs it: