The plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/cover-carousel.php file which allows attackers to inject arbitrary web scripts.
2021-09-08 (about 1 years ago)
2021-09-09 (about 1 years ago)
2022-04-09 (about 9 months ago)