The plugin did not sanitise the Redirect From and Redirect To fields when creating a new redirect in the dashboard, allowing high privilege users (even with the unfiltered_html disabled) to set XSS payloads
Create a new Custom redirect (/wp-admin/options-general.php?page=seo-redirection.php) and set a payload such as /"><script>alert(/XSS/)</script> in the Redirect From and Redirect To fields