The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Put the payload in any text field of the "8 Do you want to show a subscription form (increases sign-ups)? ยป Text above the entry field ยป Text" settings and save: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
The XSS will be triggered when reaccessing the settings.