The plugin does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Add/Edit a message and put the following payload in the Subject field: "> The XSS will be triggered in the Messages list (/wp-admin/admin.php?page=bbpp_thankmelater)