The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
https://wpscan.com/vulnerability/8b639743-3eb5-4f74-a156-76cb657bbe05