The Coming Soon by Supsystic WordPress plugin before 1.7.6 does not sanitise and escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
https://wpscan.com/vulnerability/49589867-f764-4c4a-b640-84973c673b23