The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Put the payload in any text field of the โ8 Do you want to show a subscription form (increases sign-ups)? ยป Text above the entry field ยป Textโ settings and save: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when reaccessing the settings.