Title:Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1$var_name and $var_text aren't sanitized before being sent to the webpage. $var_name only can contain text so only $var_text is exploitable In file ./anyvar/anyvar.php: 202 echo "203 204 $var_name 205[$var_name] 206td> In the text field box the following will trigger a JS alert popup: </textarea><script>alert(1);</script><textarea>