The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to settings page available under the “Calculator” menu item. 2. Click the “Select Color” button and type the following payload the input space: