The plugin allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the image_class parameter of the browser-shot shortcode was not escaped.
Add the following shortcode in a page, then view the page (either published or as preview to trigger the XSS): [browser-shot url="https://example.com" image_class='" onload="alert(origin)']