The plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/cover-carousel.php file which allows attackers to inject arbitrary web scripts.
2021-09-08 (about 11 months ago)
2021-09-09 (about 11 months ago)
2022-04-09 (about 4 months ago)