The plugin does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Edit a client ("OAuth Server > Clients) and put the following payload in the "Client ID" field: "><script>alert(/XSS/)</script>
The XSS will be triggered in the Clients list, as well as when editing the client
v4.2.1 added sanitisation, but no escaping, so a payload like " style=animation-name:rotation onanimationstart=alert(/XSS/)// would work as well (but only be triggered when editing the client)