The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to settings page available under the "Calculator" menu item.
2. Click the "Select Color" button and type the following payload the input space: </style></head><script>alert(/XSS/)</script>
3. Click the "Save Changes" button to save settings.
4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing.
5. Visit the page to trigger XSS.