The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
Enable 2FA + Website Security and put the following payload in the “Advanced Blocking” tab > “Block HTTP Referer’s” section > “Add Referer" field: ">