The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes
As a contributor, put the following shortcode in a post/page [otheruserinfo login="admin" field="user_pass"][/otheruserinfo]