The plugin does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Put the following payload in the Data ID setting of the plugin (/wp-admin/edit.php?post_type=tlsa_audit&page;=tlsa_settings) and save them: ">