Title:Reflected XSS & Blind SQLi in wordpress plugin eshop v6.3.14'; 244 303 $phpself='?page='.$_GET['page']; . 503 echo "The following code snippets do not sanitize user input before passing back to the browser via $_GET request. http://plugins.svn.wordpress.org/eshop/trunk/eshop-orders.php From eshop-orders.php XSS via page & action variables: 144 $apge=get_admin_url().'admin.php?page='.$_GET['page'].'&action='.$_GET['action']; 145 echo '