The plugin does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
Proof of Concept
Go to Newsletters of Newsletter at wordpress admin panel ( eg . https://wordpress.local/wp-admin/admin.php?page=newsletter_emails_index ).
Create the "new newsletter", and then choose any type of templates ( default presets ) except from Raw HTML.
Input the simple test XSS payload at the Snippet Input
Payload : Test Snippet<script>alert(0)</script>
And Click the "Save" and "Next". The Stored XSS payload will execute.