The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
In Page/Post Access tab, Use XSS Payload as "> in any of the pages available. XSS will be triggered at the plugin’s admin panel.