Authenticated stored cross-site scripting issues in some of the plugin settings, requiring high privileges.
Affected fields are in the settings of the plugin and will be triggered when the common soon page is displayed (either the preview or normal one):
Logo: x' onerror='alert(/XSS/)
Headlines: <script>alert(/XSS/</script> (for v < 5.1.1), <img src=x onerror=alert(/XSS/)/> (for v < 5.1.2)