The plugin did not sanitise the content of the robots.txt, allowing high privilege users (admin+) to use XSS payloads, which will be output back in the settings page of the plugin.
Put the following directive in the plugin settings "User Agents and Directives for this site"
Disallow: /wp-register.php</textarea></td></tr><script>alert(1);</script>