The plugin does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues
Step 1: Install the plugin "Easy Preloader"
Step 2: Enter the payload below in the text field "Choose overlay color" (or any other text fields) in the plugin's settings (wp-admin/options-general.php?page=ep-options)
"><script>alert(/XSS/)</script>
Step 3: The script will be stored and executed all the times when going to the plugin settings.