The plugins use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.
WP-Optimize - Reflected Cross-Site Scripting
1. Go to the plugin settings and in the "Images" section check the box "Create WebP version of image".
2. Visit the page: /?s=<script>alert(/XSS/)</script>
SrbTransLatin - Contributor+ Stored Cross-Site Scripting
1. Create a post and add the following content: <script>alert(/XSS/)</script>
2. Load the post on the frontend, and see the XSS alert.