The plugin does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed
Put the following payload in the “Background Color” or “Labels Color” Skyscraper settings of the plugin in the (/wp-admin/options-general.php?page=skyscraper_options): "> Other settings might be affected as well