Hello,

Plugin: Visitor Maps and Who's Online 1.5.8.6 https://wordpress.org/plugins/visitor-maps/

1. Persistent Cross-Site Scripting (XSS) 

Authenticated administrators can store html/js code (there is no CSRF protection). For successful exploitation there have to be at least 2 pages (more than 25 rows) in Visitor Maps - Who's Been Online view.

Method: GET

Url: http://localhost/wp-admin/index.php?page=whos-been-online&pagenum=2&order=[xss]

Vulnerable parameters: order, sort_by 

Example PHP callstack:

VisitorMaps::visitor_maps_whos_been_online   [visitor-maps/visitor-maps.php:103]

WoBeen::view_whos_been_online   [/visitor-maps/class-wo-been.php:206]

Verification: