Hello,

Plugin: Kiwi Logo Carousel 1.7.1 https://wordpress.org/plugins/kiwi-logo-carousel/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings&tab=[xss]

Vulnerable parameter: tab_flags_order

Example PHP callstack:

kiwi_logo_carousel_admin::admin_pages_manage_carousels   [/kiwi-logo-carousel/kiwi_logo_carousel_admin.php:466]

Verification: