REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
REST List Parameter Plugin 1.3.1 no longer identifies a parameter using user-specified content.