The plugin does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Put the following payload in the Link settings of a body party and save the change: "></script><script>alert(/XSS-link/)</script>