Version <= 3.2.1 contains multiple XSS in various locations due to not escaping user's input before output it, example: https://<BLOG>/wp-admin/admin.php?page=mbt_help&mbt_video_tutorial="><svg/onload=alert(/XSS/)>
v3.2.2 implemented numerous sanitisation improvements, however there was still at least one DOM XSS:
June 30th - Vendor Contacted about the DOM XSS
June 30th - Fix pushed in Trunk, vendor also reviewed all other usage of jQuery in the plugin, and didn't find other cases of user input in a jQuery selector.
July 3rd - Version 3.2.3 Released