Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
As admin, enable the 'Floating Sidebar' (/wp-admin/admin.php?page=dpsp-toolkit), then put the payload below in the 'Twitter Username' Settings of the plugin, and enable the 'Add Twitter Username to all tweets' settings as well
"><img src=xss onerror=alert('XSS') />
The XSS will be triggered when accessing the Floating Sidebar page (/wp-admin/admin.php?page=dpsp-sidebar)