Is this plugin vunerable to latest XSS attacks?

Thanks for bringing this up! I have a site that I JUST pushed live last week and it has been “hacked” twice now and I feel like this plugin, or another, may be the culprit. The theme is completely custom made from scratch and I recently changed every password associated with the site. So really all that is left is a hole in WP itself or a third party plugin. This just helped me get the ball rolling now.

I did receive an email response from the author:

Please don`t worry, our plugin has no XSS vulnerability. As you have noticed, we use the add_query_arg () function in the bws_menu.php file, but this function is assigned to a variable, and when this variable is displayed on the screen, we wrap it in the esc_url function, as it is suggested — https://make.www.ads-software.com/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/

As an example, for complete understanding, you can check the bws_menu.php code file yourself to ensure that there is a code on the line 763:

$install_url = add_query_arg( array( 'action' => 'install-theme', 'theme' => $theme->slug, ), self_admin_url( 'update.php' ) );

And below on the line 786, we use the function esc_url() to sanitize $install_url variable (that has the value of add_query_arg() function), and when displaying it, we wrap it in the esc_url () function:

$actions[] = '<a class="install-now" href="' . esc_url( wp_nonce_url( $install_url, 'install-theme_' . $theme->slug ) ) . '" title="' . esc_attr( sprintf( __( 'Install %s' ), $name ) ) . '">' . __( 'Install Now' ) . '</a>';