Hello,

Plugin: WP Widget Cache 0.26 https://wordpress.org/plugins/wp-widget-cache/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection!).

Method: GET

Url: http://localhost/wp-admin/widgets.php?wgdel=[xss]

Vulnerable parameters: wgdel

Example PHP callstack:

WidgetCache::widget_wgdel_notice   [/wp-widget-cache/widget-cache.php:332]

Verification: