The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
[wpecpp name="' accesskey='X' onclick='alert(1)'"]
Press Alt + Shift + X in Firefox to trigger the payload.
More information about access keys: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey