Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Go to "Salon > Services > Add New Service"
2. For the service name, enter: `<script<script>>alert(document.cookie)</script<script>` and save
3. Go to "Assistants" and edit an assistant
4. Click on "Limit reservations to the following services" to see the XSS