The extension fails to properly encode user input for output in HTML context (CVE-2021-36785). Also the extension contains sensitive data (API credentials and private key) which should not have been published (CVE-2021-36786). Finally the extension bundles several 3rd Party Components (jQuery and robrichards/xmlseclibs) with known security vulnerabilities.