The plugin does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Put the following payload in any of the plugin’s settings (such as Opacity): ">