The plugin does not sanitise and escape parameter before outputting it back in a page available to any user (both authenticated and unauthenticated) when a specific setting is enabled, leading to a Reflected Cross-Site Scripting
With the "Compatibility Mode" (/wp-admin/edit.php?post_type=easy-pricing-table&page=easy-pricing-tables-settings) setting enabled:
https://example.com/wp-admin/admin-ajax.php?action=ptp_design4_color_columns&post_id=1&column_names=<script>alert(`xss`)</script>