The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Go to the plugin Settings > Messages > Taxonomies (/wp-admin/admin.php?page=MEC-settings&tab=MEC-messages)
Put the following payload in the Category Plural Label, Category Plural Label or Label Plural Label fields: "><script>alert(/XSS/)</script>
The XSS will be triggered in any backend pages