The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a Comment Fields (Comments > Comment Fields) and put the following payload in the Error Message setting: "autofocus onfocus=alert(/XSS/)// The XSS will be triggered in any post