The plugin does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed
Put the following payload in any of the Mailchimp integration settings (/wp-admin/admin.php?page=poll-maker-ays-settings&ays_poll_tab=tab2) and save: "><img src onerror=alert(/XSS/)>