The plugin manager echos raw URLs in error messages, this could allow to
construct an XSS attack. However the affected form is CSRF protected,
so an attacker would require another XSS vulnerability to get the needed token,
rendering this attack unneeded. So this should not be exploitable.