The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
As administrator, put the following payload in any of the plugin's settings and save: "><script>alert(/XSS/);</script>