The plugin does not sanitise and escape some of its Giveaways options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Login with an editor user and add/edit a Giveaways, then go to the “Prize Info” section and add a new price with the following payload in the Title: "> The XSS will be triggered each time an admin/other user go to such options again and add a character to the Title field