Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a Contributor user create a new post and add a shortcode containing the following payload:
[expand elwraptag="img src=cx.jpg onmouseover=alert(1);"]test
Now, as an administrator, preview the post and it'll trigger the payload.