The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks
As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS (which is specific to the TwentyTwentuOne theme but could be changed) [coolclock fontcolor=‘orange" style=“animation-name:twentytwentyone-close-button-transition” onanimationend="alert(origin)//’]