The plugin version 1.6.2 and possibly below, was vulnerable to Stored Cross-Site Scripting (XSS) in the plugin's fieldnameDomain settings parameter.
The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability.
Proof of Concept
In the plugin's advanced settings (wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced), put the following payload in the Domain fieldname input:
" onfocus=alert(/XSS/); autofocus=