There is an XSS vulnerability in the site (and probably network) admin page of this plugin.
If you post:
" /><script>alert(1);</script><div "
into the "Google Analytics ID:" field that code'll run. If the formatting for that attack gets mangled (I'm sure it will), it's here:
I would like to use this plugin for a pretty large multisite install and would be willing to audit it. Interested?