The setting page of the plugin is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute. Timeline (WPScanTeam) January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team (who confirmed to have received the report) March 16th, 2021 - No updates, disclosing April 18th, 2021 - v6.4 released, fixing the issue
The PoC will be displayed on May 02, 2021, to give users the time to update.