The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the "Link to" setting: ";</script><script>alert("XSS")</script>
The XSS will be triggered when viewing/previewing the post (for example when an admin reviews it)