The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Create a new Form via the plugin, fill it with any values. In the next step, change the Form name to: "/><img src onerror=alert(/XSS/)> and save the form
The XSS will be triggered when viewing the forms list (/wp-admin/admin.php?page=visual-form-builder) or when editing the related form