It was discovered that it is possible to inject a malicious payload into the email address field, resulting in a stored XSS vulnerability.
/scp/emails.php
Payload test+(<script>alert(document.domain)</script>)@gmail.com
it works with all email account because they will be put in the drop-down list