The plugin does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
Go to Newsletters of Newsletter at wordpress admin panel ( eg . https://wordpress.local/wp-admin/admin.php?page=newsletter_emails_index ). Create the “new newsletter”, and then choose any type of templates ( default presets ) except from Raw HTML. Input the simple test XSS payload at the Snippet Input Payload : Test Snippet And Click the “Save” and “Next”. The Stored XSS payload will execute.