The plugin does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Create/edit a Tab via the plugin, and put the following payload in a Tab description: "> The XSS will be triggered in posts/pages where the Tab is embed via the [TABS_R id=XXXX] shortcode