During a security research I found an authenticated Stored XSS vulnerability.

The name of the plugin is: Top Bar < 3.0.4


The plugin does not sanitise and escape some of its settings before 
outputting them in frontend pages, which could allow high privilege users 
such as admin to perform Stored Cross-Site Scripting attacks 
even when the unfiltered_html capability is disallowed 
(for example in multisite setup)


The PoC will be displayed on October 03, 2022, 
to give users the time to update. 

Additional information

WPSCAN link: https://wpscan.com/vulnerability/25a0d41f-3b6f-4d18-b4d5-767ac60ee8a8

Plugin has more than 20,000+ active installations.