The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
Put the following payload in the Post Views Label settings of the plugin (?wp-admin/options-general.php?page=post-views-counter&tab;=display): The XSS will be triggered in any posts (by default), but could also be changed to any pages etc.