The plugin does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting
With the PDF Invoicing module active: https://example.com/wp-admin/edit.php?post_type=shop_order&paged;=1&generated;=1&generated;_type=invoice&generated;_invoice=1&post;_status=all&wcj;_notice=