The plugin does not sanitize and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scripting (XSS) attacks.