The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Put the payload below in any of the "Challenge & Block" (ie /wp-admin/admin.php?page=ss_challenge) settings, or in the "Response Timeout Value" settings in the "Protection Options" (ie /wp-admin/admin.php?page=ss_options) and save
" style=animation-name:rotation onanimationstart=alert(/XSS/)//