The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed
Create a new map. Add an XSS payload to the title. Click "Show as map title". Add the map to a page or post with the shortcode.