The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
1. Create/edit a Post Type via the plugin (wp-admin/admin.php?page=cptc-page) and put the following payload in the "Singular Label" and "Plural Label" fields: <img src onerror=alert(/XSS/)>
The XSS will be triggered in all backend pages.
2. Create/edit a taximony via the plugin (/wp-admin/admin.php?page=ctc-page), put the following payload in the "Singular Label" and "Plural Label" fields: <img src onerror=alert(/XSS/)>, then tick the Attach to 'Post'
The XSS will be triggered when accessing the related taximony via the Post menu (e.g /wp-admin/edit-tags.php?taxonomy=b)