The plugin does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
In v < 2.2.8, both unauthenticated and authenticated users can be attacked with it. In 2.2.8, it will only trigger against authenticated user