Reflected XSS in "Client Notes" Field

A reflected Cross-Site Scripting (XSS) vulnerability exists in the “Notes” functionality under the Edit Client section. When a user adds a new client and navigates to the "Edit Client" page, they have the ability to attach notes. However, if a malicious JavaScript payload is entered in the notes input field and saved, it is not sanitized properly and is reflected back in the application upon submission, triggering an XSS alert. The payload is not stored permanently, but it executes instantly after form submission, which confirms it's a reflected XSS and not a stored one. ## Impact The presence of such a vulnerability indicates that user input is not properly sanitized or encoded before being reflected back into the HTML response. While not directly exploitable by other users, this flaw can have the following implications: - It highlights a potential entry point for more severe XSS vulnerabilities if similar input handling exists elsewhere in the application. - It poses a client-side security risk, especially in environments with browser extensions, debugging tools, or when integrating third-party scripts. - It reduces trust in the platform’s secure coding practices, especially in an admin interface that manages multiple WordPress sites. - It can be used by attackers with access to the dashboard (e.g., insider threat or compromised low-privilege user) to test or explore further payload injection points. Addressing such vulnerabilities improves the overall resilience of the application and helps prevent future, more impactful exploits.