The plugin does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won’t be when the unfiltered_html is disallowed)
As a contributor, add a custom field in a post (while in a post editor, open the Options panel > Preferences > Panels and enable the Custom Fields), such as test_xss with a value of <script>alert(/XSS/)</script>
Then add the following shortcode to the post [field test_xss] and view/preview it to trigger the XSS