The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin prior to 5.7.8 for WordPress has XSS by authors.
advancedcustomfields advanced custom fields