The plugin does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue
The "General" module needs to be enabled in "Woocommerce -> Booster Settings -> Booster".
https://example.com/wp-admin/admin.php?page=wcj-tools&tab=custom_roles&wcj_delete_role=<script>alert(/XSS/)<%2Fscript>