The plugin does not properly sanitize its βSimple Banner Textβ Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Put the following payloads in the "Simple Banner Text" settings of the plugin:
<a href="jav	ascript:alert(document.cookie)">Firefox</a>
<sc<script>ript>alert(/XSS/)</scr</script>ipt>
Then access the frontend to trigger the XSS