The plugin does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
When the debug settings is enabled (ie /wp-admin/admin.php?page=yikes-inc-easy-mailchimp-settings§ion=debug-settings), make a logged in admin open the URL below
https://example.com/wp-admin/admin.php?page=yikes-mailchimp-edit-form&sql_error=<svg/onload=alert(/XSS/)>