Under /wp-admin/admin.php?page=dealertrend_api#feeds
If you change Company ID to "><script>alert(1)</script> it will execute (may have to do it twice, not sure).
I'm pretty sure all fields here are exploitable to XSS, as well as SQLi. They're persistent, meaning you're also vulnerable to cookie stealing and such.
Under /wp-admin/admin.php?page=dealertrend_api#feeds
If you change Company ID to
"><script>alert(1)</script>
it will execute (may have to do it twice, not sure).I'm pretty sure all fields here are exploitable to XSS, as well as SQLi. They're persistent, meaning you're also vulnerable to cookie stealing and such.