The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
As admin, add/edit a sharing method ("Giveaways" > "Settings" > "Sharing Method"), and put the following payload in the Method Title field: <script>alert(/XSS/)</script><img src onerror=alert(/XSS2/)>
As Unauthenticated or authenticated user, go to a giveaway page in the frontend ( date one as admin if there is none yet) and enter it by giving an email. The XSS will be triggered afterwards