The plugin does not sanitise or escape its “php_id” setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.
Put the following payload in the “php_id” field in the plugin’s settings (/wp-admin/options-general.php?page=phtmanager): ">