The plugin does not sanitise and escape its “License ID” settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Put the following payloads in the “License ID” setting of the plugin and save: ">