The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=
The XSS will trigger when editing the affected Button