Hello,

Plugin: Role Scoper 1.3.64 https://wordpress.org/plugins/role-scoper/

1. Reflected Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=rs-group_members&mode=edit&id=[xss]

Vulnerable parameters: id

Example PHP callstack:

/role-scoper/admin/group_members.php:94

Verification:

--