The plugin does not sanitize and escape the “Footer Credit Text” added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed.
(The plugin requires the Storefront theme)
Go to Appearance > Customize (/wp-admin/customize.php), open the Footer customisation and put the following payload in the Footer Credit Text: <script>alert(/XSS/)</script>
The XSS will be triggered in all frontend pages, and Customise admin panel as well