The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue
https://wpscan.com/vulnerability/d6c72d90-e321-47b9-957a-6fea7c944293