The plugin does not sanitize and escape the ‘wp_user_cover_default_image_url parameter before outputting it to the pages on the site, allowing an authenticated (admin+) user to inject arbitrary web scripts even when unfiltered_html has been disabled (such as in a multisite setup.)