The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Go to this page: https://example.com/wp-admin/admin.php?page=byconsolewooodtrestro_general_settings
on this page we have multiple forms. all of them are vulnerable to stored xss.
xss payload: "><img src=x onerror=alert(document.cookie)>
vulnerable parameters: byconsolewooodtrestro_takeaway_lable , byconsolewooodtrestro_delivery_lable , byconsolewooodtrestro_dinein_lable , byconsolewooodtrestro_date_field_text , byconsolewooodtrestro_time_field_text , byconsolewooodtrestro_orders_delivered , byconsolewooodtrestro_orders_pick_up , byconsolewooodtrestro_orders_dinein , byconsolewooodtrestro_chekout_page_section_heading , byconsolewooodtrestro_chekout_page_order_type_label , byconsolewooodtrestro_chekout_page_date_label , byconsolewooodtrestro_chekout_page_time_label
After injecting these payloads and save the changes, any administrator will be targeted by visiting this page.