The plugin does not sanitise and escape its Duplicate Title and Slug settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in the “Duplicate Title” or “Duplicate Slug” settings: ">