The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
As a contributor, put the following code in a post/page while in Code Editor mode < 3.0.2 < 3.0.3