The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Set βGreeting Textβ option to:
<script>alert(1)</script>
Set βEnable the login box shortcode? [wplb]β option to:
Enabled
Shortcode:
[wplb]