This plugin takes input from $_GET and puts it directly into HTML without escaping it. This means that anybody who is able to convince an admin user to click on a link would be able to take control of their browser on that domain name and delete posts, add new admin users, etc..
Proof of concept
Log in as an admin user with this plugin activated, using a browser without reflected XSS prevention (i.e. Firefox). Visit this URL:
Update to version 1.2.6 or later.