The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the “Default Skin” field.
Step1: Install and activate the plugin.
Step2: Go to the plugin setting.
Step3: Enter the following payload in the field "Default Skin"
xss"></td></tr></table><script>alert(1)</script><input type='text' name="hflv_skin" value="xss
Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.