The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in a multisite setup).
1. Go to the “Teams” section » add a new team and in the “Main color” option, add the payload: " onmouseover=alert(/XSS/)// 2. Publish/Update the page » click on the “Main color” option and hover the mouse over the input field to trigger the XSS.