The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to the Mailing list option and register a new user with the value "autofocus onfocus=alert(1)// on the email and name fields
2. Click on edit subscriber, and the XSS will be reflected