The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27