The plugin does not sanitise and escape its Text Block fields, which could allow users with access to the plugin’s editor to perform Cross-Site Scripting attacks
Create a post using the plugin editor, add a Text Block and put the following payload in its content: <img src onerror=alert(/XSS/)>
The XSS will be triggered when editing the post again, as well as when viewing the post