This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Due to the Content-type header of the response (JSON), exploitation of this vulnerability is not possible. The issue might be indirectly exploitable if a client-side script processes the response and embeds it into an HTML context. Manual confirmation is required.
Your script should filter metacharacters from user input.
Acunetix Cross Site Scripting Attack
VIDEO: How Cross-Site Scripting (XSS) Works
XSS Filter Evasion Cheat Sheet
WordPress Plugin WordPress Sentinel Multiple Vulnerabilities (1.0.0)
WordPress Plugin Sermon Browser Cross-Site Scripting and SQL Injection Vulnerabilities (0.43)
WordPress Plugin WordPress Calls to Action Multiple Cross-Site Scripting Vulnerabilities (2.5.0)
WordPress Plugin DZS Video Gallery Multiple Cross-Site Scripting Vulnerabilities (All)
WordPress Plugin AVK-Shop Multiple Cross-Site Scripting Vulnerabilities (1.1.1)