The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot
1. Go to "Settings > Language Settings > ChatBot Keywords"
2. Enter the PoC: `POC"><script>alert('XSS')</script>` in the "Welcome to Help Section", "Type and Hit Enter", or "clear our chat history" fields.
3. Save and see the XSS