Title:Persistent XSS in wordpress plugin rockhoist-badges v1.2.2
There is a persistent cross site scripting vulnerability in the plugin Rockhoist Badges.  A user with the 
ability to edit_posts can inject malicious javascript.  Into the badge description or title field.

Line 603 doesn't sanitize user input before sending it to the browser in file ./rockhoist-badges/rh-badges.php:

-> 603: Delete
"><script>alert(1);</script> in the title or description field will inject js.