Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
1. Click on the "Add new" tab.
2. Select the "Menu" tab.
3. Enter the javascript payload in the "Link" field: javascript:alert(/XSS/);
4. Save it, visit the site, and click on the bubble menu.