The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
In Page/Post Access tab, Use XSS Payload as "><script>alert('XSS')</script> in any of the pages available.
XSS will be triggered at the plugin's admin panel.