The plugin doesn’t sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.
Put the following payload in the “Note title” and “Note message” settings of the plugin: "> and Then visit the Admin Dashboard homepage or the plugin’s settings (/wp-admin/admin.php?page=Splash_Header_Display&tab;=homepage) to trigger the XSS https://github.com/xiahao90/CVEproject/blob/main/wordpress_Splashheader_XSS.md