The plugin does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues.
Put the following payload in the Fajr, Sunrise, Zuhr, Asr, Maghrib and/or Isha field of the Language settings of the plugin (/wp-admin/admin.php?page=dpt#tabs-2): <img/src/onerror=prompt(/XSS/)>
The XSS will be triggered in the plugin's settings, as well as any post/page with the [monthlytable] embed