The plugin does not sanitise and escape post/page Title, which could allow users with access to the plugin’s editor to perform Cross-Site Scripting attacks
Create a post using the plugin editor and add the following payload in the Title: "><svg/onload=alert(/XSS/)>
The XSS will be triggered when editing the post again