The plugin does not sanitise the ‘Text Next to Icon’ field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue
Add or Edit a Characteristic (/wp-admin/admin.php?option=com_vikrentcar&task=carat)) with the following payload in the 'Text Next to Icon' field: <script>alert(/XSS/)</script>
Then view the Characteristics List to trigger the XSS