The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
As admin, put the following payload in the "More text information" settings of the plugin: <img src onerror=alert(/XSS/)>
The XSS will be triggered in the frontend when in Coming Soon Mode