The plugin does not sanitize and escape the “Footer Credit Text” added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed.
(The plugin requires the Storefront theme) Go to Appearance > Customize (/wp-admin/customize.php), open the Footer customisation and put the following payload in the Footer Credit Text: The XSS will be triggered in all frontend pages, and Customise admin panel as well