The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
The shortcode need to be active (can be done via the Shortcode tab settings of the plugin), and a bitly API key set (can be a dummy one such as 'aaa') via the Advanced settings of the plugin
[Campaign-URL-Builder wrapper='" onmouseover="alert(/XSS/)"']
Other attributes were also affected (such as wrapper-inline-style, form-inline-style, input-class, form and custom_parameters)