The plugin is closed; I strongly suggest you find another.
The recently identified vulnerability has been patched in version 1.4.4.
If you have information on a still present vulnerability, please let me know (https://evona.nl/contact/ should work, reply here too so I can check it didn’t end up in spam).
The plugin will remain closed, though, per a strong recommendation by the WordPress plugin team to do so, since I’m no longer actively developing the plugin and only addressing serious concerns. Any current users should have received and should install the update.
If you really, really want to use the plugin, you can always use SVN to get it.
Thank you for your response. I just sent you an email via your form on your contact page.
I’ve reviewed your mail and it’s just a scan report.
This plugin tends to trigger false positives, either because it’s closed (which indicates there is a vulnerability, so a lazy scanner that assumes all closed plugins contain vulnerabilities will think its vulnerable) or because, depending on your definition, it still makes XSS possible since as an authenticated user you can insert scripts (both on and cross site) into the head section, which precisely is the purpose of this plugin (you can argue that isn’t a false positive, but then you shouldn’t be using this plugin).
I wouldn’t worry about it. As soon as I receive information on a credible XSS attack I’ll update.
