Description The plugin does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post
As a contributor, create a new Post, at the bottom of the page put the following payload in the Social > Facebook Title field and save: 0;https://wpscan.com/" HTTP-EQUIV="refresh" a="a
Amy user (pre)viewing the post will be redirected to https://wpscan.com