You should create new post with two more heading. Go to the settings of the plugin and change "ez-toc-settings[heading_text_tag]" field to "Malicious JS code eval() and etc. For example img src=x onerror=alert(1)" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)