The plugin does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite)
As administrator, put the following payloads in the mentioned settings of the plugin (/wp-admin/options-general.php?page=bannerman) then save - in any of the textarea fields, like βStyle your banner with CSS:β - "> in any of the text fields like βBackground colourβ