The plugin does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Add/edit a new button, set its Button action to "Website URL" and add the following payload as URL: javascript:alert(/XSS/)
As label, the following payload can be used as well: <img src onerror=alert(/XSS-Label/)>
Publish it and the XSS will be triggered when viewing the page with the button (w/o user interaction for the XSS in the label field, while clicking on it for the XSS in the URL)