User Access Manager [Reflected XSS]
This is a typical Reflected XSS. Vulnerable param is
plugin settings page UAM → Manage User Groups (
Param is printed inside an HTML value attribute.
$_GET['action'] must be also present and set to
this attack to work.