The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Put the following payload in the "Currency Symbol" settings of the plugin and save: "><svg/onload=prompt(/XSS/)>
Other settings are affected (such as Minimum Payout Amount, Email Name etc)