The plugin does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
1. Create a "New Inventory Item"
2. In the "Description" field, add the value `"><script>alert("xss")</script>`
3. Edit the created item and see the XSS.