The plugin does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
Put the following payload in any of the plugin's settings (such as Font size, Font Color) and save: "><img src onerror=alert(/XSS/)>