The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.
Create a new form with the following name: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
Save it and access the plugin's dashboard again to trigger the XSS