The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue
As a Staff Member, put the following payload in your Full Name (Booklyn –> Profile –> Edit –> Full Name): The XSS will be triggered when an admin open the Staff members order page (Booklyn –> Staff Members –> Staff member order)