The plugin does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following in the plugin's settings: test => "><script>alert(/XSS/)</script>
Tick the "Enable text hover in comments?", post a comment on a post/page with the 'test' word and hover over it to trigger the XSS
Can also edit a post and put the 'test' word in it to achieve the same result