The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting
https://example.com/wp-admin/admin-ajax.php?action=cdi_collect_follow&trk;=<script>alert(`xss`)</script> Note: PHP must be configured with --enable-soap as the plugin appears to import ‘SoapClient’, which when not found produces an error while installing the plugin.