The plugin does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks.
As a contributor, create/edit a "QR Redirect" and set the following fields:
"URL to Redirect to": https://example.com/#" style="animation-name:rotation" onanimationend="alert(/XSS-URL/)//
"Admin Notes": </textarea><script>alert(/XSS-admin-notes/)</script>
The XSS will be triggered when any user access the QR Redirect (for example an admin reviewing it)