The plugin does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Put the following payload in the "Try to increase the memory limit to" settings of the plugin: <script>alert(/XSS/)</script>
The XSS will be triggered when accessing the Debug Function, e.g: https://example.com/wp-admin/options-general.php?page=google-sitemap-generator%2Fsitemap.php&sm_rebuild=true&sm_do_debug=true&_wpnonce=3e59e7544a