The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
https://wpscan.com/vulnerability/9dbb0d6d-bc84-4b85-8aa5-fa2a8e6fa5e3