The plugin does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue.
Add or edit a Taximony (/wp-admin/admin.php?page=st_taxonomiesthe) with the following description: "><img src onerror=alert(/XSS/)>
Then view the Taxonomies table to trigger the XSS