The plugin does not properly escape its Google API key setting, which is reflected on the site’s administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.
Put the following payload in the "Google Places API Key" settings of the plugin: test" onfocus=javascript:alert('xss') height="