During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: Easy Accordion, the version of the affected plugin: < 2.0.22
The plugin does not properly sanitize inputs when adding new items to an accordion.
When adding new items to an accordion, an injection payload of "<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>" for an accordion item's title will result in XSS in the wp-admin page as well as on pages that show the accordion.
NIST CVSS SCORE: 5.4
Plugin has more than 30,000+ active installations.