There is a reflected XSS vulnerability in the following php code ./advert/includes/advert-dashboard-user.php: 118: <input type="text" name="advertiser_name" id="user-company" value="<?php if(!empty($post_id)){echo get_post_meta($post_id, 'advertiser_company', true);}elseif(!empty($_POST['advertiser_name'])){echo $_POST['advertiser_name'];} ?>" required> 127: <input type="email" name="advertiser_email" id="user-email" value="<?php if(!empty($post_id)){echo get_post_meta($post_id, 'advertiser_email', true);}elseif(!empty($_POST['advertiser_email'])){echo $_POST['advertiser_email'];} ?>" required> 136: <input type="tel" name="advertiser_phone" id="user-phone" value="<?php if(!empty($post_id)){echo get_post_meta($post_id, 'advertiser_telephone', true);}elseif(!empty($_POST['advertiser_phone'])){echo $_POST['advertiser_phone'];} ?>" required> The variable advertiser_name appears to send unsanitized data back to the users browser via POST request.