The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it’s custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.
As a contributor, create a blank form and add custom html field with the following content in the "Text" tab of the field editor:
<p>Some description about this section</p><p><iframe srcdoc="<script>alert(document.cookie)</script>"></iframe></p>
Do not decode the payload. And please ensure that payload is added when editor has Text tab selected. Save the form, it will trigger xss payload.