CVE-2023-4290

The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin > MITRE Terms of Use apply – see LICENSE‑MITRE.txt