The plugin does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Proof of Concept
In the plugin's settings, put the following values:
- In "Step 1: Enter text/HTML to remove (one per line)" field: powered
- In "Step 2: Enter your own footer credit (one per line)": ">--><img src onerror=alert(/XSS/)>
The XSS will be triggered in all pages