Nice plugin but it needs a security update.
One of my WordPress installations recently suffered a malware attack, WP itself was up-to-date so were the few plugins I use - I always update. I continually had to remove the files and change passwords etc. but I couldn't identify the leak.
I decided to move the site to a new host. The new hosting was setup and the site migrated. It was hacked again and the new host had superior reporting that identified a script in this plugin. I disabled the plugin and deleted it, no malware hacking issues since.
I opted to replicate the functionality with some custom code.
https://wordpress.org/plugins/seamless-sticky-custom-post-types/