The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following payload in the "Provide your IP-API Pro key", "Memcached Server Host", "Set the realtime script refresh inverval" or "Memcached Server Port" settings and save: "autofocus onfocus=alert(/XSS/)//
(Note: for settings expecting an integer, change the type=number to type=text with the browser inspector to be able to put the payload)