The plugin adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields.
Proof of Concept
- Create a page A
- Add a custom field containing JS in Page A
- Create page B
- add shortcode to page B: [insert page="page_A_slug" display="all"]