The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Put the following payload in the Account Name settings and click on the 'Change App name' button: " autofocus onfocus=alert(/XSS/)//