The plugin does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
In the admin dashboard navigate to Services > Add service and put the following payload in the Price (Service Params section): The XSS will be triggered in the Services list (/wp-admin/edit.php?post_type=services)