Description The plugin does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
On a post/page where containing the following output (which can be as txt in the post content): "id":""customThumbnail":"", make a logged in admin open the URL below:
https://example.com/related-page-post/?hash=*(?:'><svg%20onload=alert(`XSS`)>)*