The plugin does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
Put the following payload in the Welcome message (st_content parameter) of the plugin:
</script><img src onerror=alert(/XSS/)> to trigger the XSS in any frontend page
</textarea><img src onerror=alert(/XSS/)> to trigger the XSS in the plugin's settings