The plugin does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite)
As administrator, put the following payloads in the mentioned settings of the plugin (/wp-admin/options-general.php?page=bannerman) then save
- </textarea><svg/onload=prompt(/XSS/)> in any of the textarea fields, like "Style your banner with CSS:"
- "><script>alert(/XSS/)</script> in any of the text fields like "Background colour"