The plugin fails to restrict access to the site settings page, allowing unauthenticated users to change them, such as site title, description as well as put XSS payload in the footer, leading to Unauthenticated Stored XSS issues.
As we saw probes in the wild checking for the issue, we choose to disclose it (see below for details).
February 10th, 2020 - Report received & WP Plugins Team notified.
February 12th, 2020 - WP Plugin Team Investigating
February 12th, 2020 - v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 - Seeing probes checking for the issue
March 4th, 2020 - Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 - Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 - Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable
March 6th, 2020 - Plugin re-opened