The plugin does not sanitise and escape the Media Image URL, Video Link, Title and Description field of an Image Hover, which could lead to Stored XSS when low privileged users are allowed to access the plugin’s feature (which can be set via the plugin settings)