The plugin does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Create a table, add a column with the following payload "><img src=x onerror=confirm(/XSS-column/)> as Name, then add data with the following payload "><img src=x onerror=confirm(/XSS-data/)>
The XSS will be triggered in the Table Design and Table Row tabs