During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress WP Subscribe plugin, the version of the affected plugin: < 1.2.12

Description

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered 
by Asif Nawaz Minhas (Patchstack Alliance) in WordPress WP Subscribe plugin (versions <= 1.2.12).

POC

on the left column went to Appearance > Widgets. 

Here clicked on the plus button and added WP Subscribe Widget. 
Now when you go to the widget settings of WP Subscribe Widget, click on Labels. 
Now scroll down to Consent Label. 
Add there the following payload: 

<img src onerror=alert(/XSS/)>

Click now on the blue button on the far right Update. 
Now log out of Wordpress and visit the homepage or any page of your website. 
And you will see the stored XSS popping up on every web page of your site you visit

Additional information

PATCHSTACK link: https://patchstack.com/database/vulnerability/wp-subscribe/wordpress-wp-subscribe-plugin-1-2-12-authenticated-stored-cross-site-scripting-xss-vulnerability

NIST CVSS SCORE: 4.8

NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2021-36844

Plugin has more than 20,000+ active installations.