The plugin does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create a new Grid/Caroussel, in the General Settings, enable "Display Header Title" and put the following payload in the "Header Title" field: <svg onload=alert(/XSS/)>
The XSS will be triggered when viewing the Post Grid/Carousel in the post.