The plugin does not have CSRF check in place when updating its settings, allowing attackers to make a logged in admin do such action via a CSRF attack which could lead to Stored XSS issues due to the lack of sanitisation and escaping in some of them.