Findings
Content is inserted unescaped into JavaScript, however the source for that content appears to be hard-coded.
Administrators can write arbitrary content to htaccess files, which could allow arbitrary content to be executed. However, this plugin does obey the DISALLOW_FILE_EDIT setting and so will not allow the htaccess to be edited if the site is configured to prevent it. Given that without this flag, arbitrary code can, by design, be executed by administrators anyway (via the plugin/theme editor) we think this issue can’t reasonably be called a problem.
Users who do not wish arbitrary code to be executed by administrators should ensure that DISALLOW_FILE_EDIT is always set to true. Additionally, we recommend that the web server system user is not given write permissions over the web document root.