The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
- Go to publisher and select Create a New Publisher
- Add publisher name "><img src=x onerror=confirm(document.cookie)>
- Click on Save Changes
- Now after loading the page wait for few seconds and you will get popup with your cookies