This plugin is prone to an unauthenticated CSS and JS injection. The attackers can inject whatever they want when "wp_footer" and "wp_head" is called, because "se_save" function is not sanitized.
Solution
Update the plugin.
Classification
Type BYPASS OWASP Top 10 A2: Broken Authentication and Session Management