The plugin does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
* Open the Coming Soon plugin's settings (Coming Soon -> Coming Soon)
* Click on the "Title" section
* Inject XSS payload into the Title section's "Title" form field.
<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`123` //>
* Click "Save Section", then reload the settings page (Coming Soon -> Coming Soon)