This page is a list of common plugin errors, including those that we check when approving a plugin for FogBugz On-Demand.
For anything that's displayed on the page, enter "<script>alert("XSS");</script>". If the alert pops up, there's an XSS vulnerability.
If any FogBugz entities are displayed (user names, bug titles, etc), make sure to try the above in all exposed fields.
Hit all accessible plugin pages as an Administrator, a Normal user, a Community user, and a Public (not logged-in) user.
Grid Column / Filter Errors
If the plugin includes any grid columns, try sorting by the column in both directions.
Also, search within a filter that includes the plugin columns / filter modifications for "editedby:me". This will crash if the plugin does not obey the fIncludeSelect parameter correctly.