The plugin does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue
Put the following payload in the “Now closed message” setting and save them: Then refresh the setting page, or go to a page where the Business Hours are output (tested with the [mbhi …] shortcode) to trigger the XSS