The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Make a logged in admin open a page with the code below https://example.com/wp-admin/admin.php?page=asp_main_settings&asp;_sid=1"> Other parameters were affected, reported and fixed but have not been detailed here