There is a reflected XSS vulnerability in the following php code ./magic-post-thumbnail/inc/admin/main.php: 14: <div id="ids" style="display:none;"><?php echo $_REQUEST['ids']; ?></div> The variable ids appears to send unsanitized data back to the users browser.