The plugin does not sanitize or escape some of its settings before outputting them in the adminβs dashboard, allowing Contributor+ privileged users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed