The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
In a form settings, put the following payload in the Actions after submission > Action Type > Custom Text: <img src onerror=alert(/XSS/)>
The XSS will be triggered after a form is submitted