The plugin did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues
Proof of Concept
As admin, Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter a payload such as " onmouseover="alert(1) into all the six user input fields and submit the request.
Better payload (WPScanTeam): " style="animation-name:rotation" onanimationstart="alert(/XSS/)
The following fields are vulnerable to Stored Sross-Site Scripting :