The plugin doesn’t properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Add the following payload in the "Cookie Bar Message" setting of the plugin (/wp-admin/options-general.php?page=cookie-bar-settings): <img src onerror=alert(/XSS/)>
Then access the frontend (with any user/unauthenticated user) to trigger the XSS