The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
The XSS will be triggered in the Sideblog widget (either embed in frontend pages, or via the Appearance > Widgets > then search the Sideblog and add it)