The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Plugin settings > Style Settings > button border radius (or other field) put to input field: </style><script>alert('XSS');</script><!--
Plugin settings > Text & localizations > Title of login form put to input field: <script>alert('XSS');</script>