The plugin did not escape, validate or escape the ‘langid’ GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin
https://example.com/wp-admin/admin.php?page=wpforo-phrases&ids;&action;=-1&langid;=">&phrase;_package=0&paged;=1&action2;=-1