The plugin does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Activate the Share Icons feature of the plugin, edit one of the Icon settings and put the following payload in the "Text to show next to icon" field: <img src onerror=alert(/XSS/)>
Save the icon settings, and then the Share Icon settings. The XSS will be triggered in all frontend posts