The plugin does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
In the plugin’s settings, put the following values: - In “Step 1: Enter text/HTML to remove (one per line)” field: powered - In “Step 2: Enter your own footer credit (one per line)”: ">–> The XSS will be triggered in all pages