The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Go to http://example.com/wp-admin/admin.php?page=image-protector%2Fimage-protector.php.
2. Paste the payload in the user agent check input field: </textarea><script>alert(1008)</script>
3. Save changes, and XSS will be triggered.