The plugin did not escape, validate or escape the ‘s’ GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin
https://example.com/wp-admin/admin.php?page=wpforo-phrases&s;=">