The plugin was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page.
Proof of Concept
1. Install WordPress 5.7.2
2. Install and activate Mimetic Books
3. Navigate to Settings >> Mimetic Books API and enter the XSS payload into the Default Publisher ID input field.
4. Click Save Changes.
6. Payload Used: "><script>alert(document.cookie)</script>