The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
{ "cpes": [ "cpe:2.3:a:amen_project:amen:*:*:*:*:*:wordpress:wordpress:*" ], "severity": "Medium" }