The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Note: The plugin requires WPBakery Page Builder (slug: js_compressor)
[vca_pricing_plans_child vca_pp_columns='" onmouseover="alert(/XSS/)" style="background:red;"']
Note (WPScan):
Other attributes were also found vulnerable when verifying the issue, for example: [vca_pricing_plans_child vca_pp_purchase_link='javascript:alert(/XSS/)']