This recommendation applies to version 3.1.10 of this plugin, but the most recent version is 3.5.5. These findings may no longer be correct.
The settings form is not escaped properly. Most values are escaped by prepending backslashes to single quotes (“</script><script>alert(1)</script>” would break that) instead of using the available esc_js() function. And one value is not escaped at all. But this is not an issue because the form does not appear to be vulnerable to CSRF.