The plugin was vulnerable to Authenticated Stored Cross Site Scripting (XSS) within the Twitter username to mention text field.
1. Insert below payload in the Twitter username to mention text field
"><script>alert(44)</script>
2. Click on Save Changes