wpb2d-premium.php is visible on
$_REQUEST['title'] is not escaped.
Proof of Concept:
XSS will be visible for admin:
- 10-11-2014: Discovered
- 10-11-2014: Vendor notified
- 19-11-2014: Second notification
- 22-12-2014: Version 4.1 released, issue resolved