Plugin: AddThis 5.0.12 https://wordpress.org/plugins/addthis/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/options-general.php?page=addthis_social_widget&complete=true&pubid=xss

Vulnerable parameters: pubid

Example PHP callstack:

addthis_plugin_options_php4   [/addthis/addthis_social_widget.php:1667]

Verification:

Propably another XSS (also pubid parameter) is located in Addthis_Wordpress::addthisWordpressOptions   [/addthis/addthis-for-wordpress.php:136]