Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.