The plugin does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
1. Create a “New Inventory Item” 2. In the “Description” field, add the value ">
3. Edit the created item and see the XSS.