The plugin does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options.
Proof of Concept
Go to the plugin's Customize Design page and open the "Wizard menu". Now scroll down and you will find an "Info Text" field where you can inject an XSS payload like "<details open ontoggle=confirm()>". Click "Publish" to store the payload.