The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the “Link to” setting: ";alert(“XSS”)