During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: Easy Accordion, the version of the affected plugin: < 2.0.22

Description

The plugin does not properly sanitize inputs when adding new items to an accordion.

POC

When adding new items to an accordion, an injection payload of 

"<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>" 

for an accordion item's title will result in XSS in the wp-admin page 
as well as on pages that show the accordion. 

Additional information

WPSCAN link: https://wpscan.com/vulnerability/4d0c60d1-db5a-4c4f-9bdb-669975ac7210

NIST CVSS SCORE: 5.4

NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2021-24576

Plugin has more than 30,000+ active installations.