The plugin includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin
View the template here CVE-2022-4321.yaml
References:
https://github.com/ARPSyndicate/cvemon