The plugin does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible.
On any post on the affected site, add the following link to a comment: Click here for XSS Click on the link, you should be getting an alert box.