The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.
Proof of Concept
$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>"
The payload will be executed on the "visitors" page within the WordPress admin panel.