The plugin version 1.6.2 and possibly below, was vulnerable to Stored Cross-Site Scripting (XSS) in the plugin's fieldnameDomain settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability.
Proof of Concept
In the plugin's advanced settings (wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced), put the following payload in the Domain fieldname input: " onfocus=alert(/XSS/); autofocus=
Fixed in version 1.6.3✓
2021-01-06 (about 4 months ago)
2021-01-11 (about 3 months ago)
2021-01-26 (about 3 months ago)