The plugin does not sanitize and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting (XSS) attacks.
Proof of Concept
Put the following payload in the WooCommerce > Settings > Billingo > E-mail Beállítások > Gomb szöveg field (in the table):
<script>alert(/XSS/);</script>