The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Go to "Field Editor" page. Put the following XSS payload into the "Placeholder / Options" field and save the changes: abc"><script>alert('xss')</script>
The XSS will be triggered when accessing the page again.