The plugin does not sanitise and escape some fields when high privilege users don’t have the unfiltered_html capability, which could lead to Stored Cross-Site Scripting issues
Customise a template from the plugin (/wp-admin/admin.php?page=cscs_templates) and put the following payload in the Paragraph Text or Descriptive Text field (depending on the template): <script>alert(/XSS/)</script>
XSS will be trigged when previewing, as well as when the "Enable Coming Soon or Site Offline" general option is enabled and the frontend is accessed