The plugin does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action’s response (available to any authenticated user), leading to a Reflected Cross-Site Scripting
The source and destination should use the https:// protocol for the exploit to work on Chrome.