The plugin does not escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Put the following payload in one of the plugin's settings (such as "Title" and "Your ClickBank Nickname"): " style=animation-name:rotation onanimationstart=alert(/XSS/)//
2015-05-06 (about 7 years ago)
2021-12-01 (about 5 months ago)
2022-04-11 (about 1 months ago)