Title:Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1
$var_name and $var_text aren't sanitized before being sent to the webpage.  $var_name only can contain text so only $var_text is exploitable
In file ./anyvar/anyvar.php:

202                         echo "
203                                 
204                                  $var_name
205                                 [$var_name]
206                                 

In the text field box the following will trigger a JS alert popup: