The plugin does not sanitize and escape some parameters related to resume, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting (XSS) attacks against higher privilege users.