The plugin does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks.
As a contributor, create/edit a “QR Redirect” and set the following fields: “URL to Redirect to”: https://example.com/#" style=“animation-name:rotation” onanimationend="alert(/XSS-URL/)// “Admin Notes”: The XSS will be triggered when any user access the QR Redirect (for example an admin reviewing it)