Ugh, Patchstack.
I already told them this privately, but here we go again:
There is no bug in this plugin itself.
You can get the same behavior by updating the WPLANG option to ‘);alert(‘XSS’);console.log(‘ in wp_options and then going to the post editor. Same effect.
The script execution happens because of this line here where Moment.js is localized: https://github.com/<wbr>WordPress/wordpress-develop/<wbr>blob/<wbr>3d139fdf61ae62b51ac26ad28fd2ef<wbr>d89758f173/src/wp-includes/<wbr>script-loader.php#L144-L145
So if anything, this needs hardening in WordPress core. However, self-XSS issues within wp-admin requiring users with unfiltered_html capability are not under the scope of the WordPress HackerOne program. So a public trac ticket for wrapping the usage there in esc_js() is probably the best option.
FWIW while this still a core issue (tracked in https://core.trac.wordpress.org/ticket/61341) and this whole report was incorrect and this plugin already does all the usual input sanitization, I went ahead and added some extra hardening to the plugin just so Patchstack will fix their report.
Thanks for the update, Pascal.
