The plugin does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
Make a logged in admin open the below URL using web browser which does not encode characters https://example.com/wp-admin/admin.php?page=vkExUnit_css_customize&b;=">