The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue
https://example.com/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://wpscan.com