The plugin does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
As a contributor, create a new Baby item and put the following payload in any of the settings (such as Birth Date, Time of Birth etc): "><script>alert('XSS')</script>
The XSS will be triggered when editing the post, as well as when viewing/previewing it