The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Put the following payload in the Google Product Category setting of the plugin (at wp-admin/admin.php?page=fca_pc_settings_page in the E-Commerce > Advanced Feed Settings, needs WooCommerce activated): ’ style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be trigged when showing the setting again