There is a reflected XSS vulnerability in the following php code ./dc-woocommerce-multi-vendor/templates/shortcode/vendor_transactions.php: 34: <div class="wcmp_mixed_txt some_line"> <span><?php _e( ' Showing stats and reports for :', $WCMp->text_domain );?> </span><?php echo $_GET['from_date'] .'-'. $_GET['to_date']; ?> 46: <input id="wcmp_from_date" name="from_date" class="pickdate gap1" placeholder="From" value ="<?php echo $_GET['from_date']; ?>"/> 47: <input id="wcmp_to_date" name="to_date" class="pickdate" placeholder="To" value ="<?php echo $_GET['to_date'];?>"/> 74: <input type="hidden" id="export_transaction_start_date" name="from_date" value="<?php echo $_GET['from_date'];?>" /><input id="export_transaction_end_date" type="hidden" name="to_date" value="<?php echo $_GET['to_date'];?>" /> The variable from_date appears to send unsanitized data back to the users browser.