The plugin does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Once the “Server Requirements” are passed in the initial setup process (you can bypass the check for localhosts by editing the is_localhost function in the same file for testing purpose) the vulnerability can be triggered at any time in an admin’s panel using an URI with JavaScript content inserted in the error parameter such as : https://example.com/wp-admin/admin.php?page=wp-time-capsule&error;=">&cloud;_auth_action=g_drive