The plugin does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.
* Open Global Activation and Click on Customize Now
* On Step3 (StylingTab) >> Enter the XSS payload into "Whats your reaction" field
Payload Used : "><script>alert(document.location)</script>
* Click On Save and Exit Button and Alert will popup every time a Global Activation step is loaded.