Post Views Counter < 1.3.5 - Authenticated Stored XSS
The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
Proof of Concept
Put the following payload in the Post Views Label settings of the plugin (?wp-admin/options-general.php?page=post-views-counter&tab=display): <script>alert(/XSS/)</script>
The XSS will be triggered in any posts (by default), but could also be changed to any pages etc.