The plugin does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Add/edit a product and put the following payload in the Product Affiliate URL, Custom Button Text fields: "><img src onerror=alert(/XSS/)>
The Product Description field is also affected, with the following payload: </textarea><img src onerror=alert(/XSS/)>
The XSS will be triggered when viewing the Product in a page, or when editing the Product in the admin dashboard