The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.
https://example.com/wp-login.php?login-error=%3Cscript%3Ealert(0)%3C/script%3E