The plugin does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
Via the plugin's settings:
- Enable the 'Coming Soon Mode'
- Put the following payload in the Description field <svg onload=alert(/XSS/)>
Then access the frontend as a user to trigger the XSS