Well ,sir ,I just found some Stored-XSS bugs at wp-plugin dark-mode.
When I visit the user profile page as a normal user contributor, I'll see the dark-mode function here:
But when I pentest the parameter in this plugin, I found when I write something into this point, it does not filter well.
Weak data parameter:
When the managers login into the panel, if they edit the profile page of contributor, I can get their cookie easily, or do something more evilly.
Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin dark-mode.