The plugin does not sanitize and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting (XSS) attacks.

Proof of Concept

Put the following payload in the WooCommerce > Settings > Billingo > E-mail Beállítások > Gomb szöveg field (in the table):