The plugin does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.
PoC
- Open Global Activation and Click on Customize Now * On Step3 (StylingTab) >> Enter the XSS payload into “Whats your reaction” field Payload Used : "> * Click On Save and Exit Button and Alert will popup every time a Global Activation step is loaded.