The attacker could use this to create a new user, create posts, add arbitrary PHP code (if the theme/plugin editor component is enabled) – almost anything a logged-in admin user can do.
Current state: Identified
Step 1: Log in.
Step 2: Visit this URL to store the arbitrary HTML: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox).
The plugin author has indicated that this plugin is abandonware and has unpublished it from the WordPress directory. Disable and uninstall the plugin as this bug won’t be fixed.