Proof of Concept
Vulnerable code is from like 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If you follow the file batch.php from top, you may see that the mentioned code is not dependent of any pre condition i.e. checking if user is admin or csrf tokens etc. This means that anyone from outside can call following URL as an unauthenticated user and the option `bm_row_amount` will get updated. https://example.com/?row_amount="><script>alert(2)</script> The GET variable `row_amount` can also be sent as POST to bypass firewall and it will still work. The Payload will trigger on main settings page of the plugin (Posts > Move Categories). https://example.com/wp-admin/edit.php?page=batchadmin