The plugin does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Add/edit a product and put the following payload in the Product Affiliate URL, Custom Button Text fields: "> The Product Description field is also affected, with the following payload: The XSS will be triggered when viewing the Product in a page, or when editing the Product in the admin dashboard