The plugin does not properly sanitize inputs when adding new items to an accordion.
When adding new items to an accordion, an injection payload of "<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>" for an accordion item's title will result in XSS in the wp-admin page as well as on pages that show the accordion.