The plugin does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
PoC
Open the Coming Soon plugin’s settings (Coming Soon -> Coming Soon) * Click on the “Title” section * Inject XSS payload into the Title section’s “Title” form field.