The plugin does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible.
On any post on the affected site, add the following link to a comment:
<a href="http://domain.tld/'-alert(1)-'/">Click here for XSS</a>
Click on the link, you should be getting an alert box.