The plugin does not sanitize and escape some settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting when unfiltered_html is disallowed (for example in multisite setup)
Put the following payload in the "Google Analytics" settings of the plugin (in the General section): "><img src onerror=alert(/XSS/)>
The XSS will be triggered when accessing the settings again, as well as all frontend page