The plugin does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Put the following payload in any of the field in the ‘Basic Settings’ section of the plugin’s setting (/wp-admin/admin.php?page=stb-settings): " autofocus onfocus=alert(/XSS/)//