Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Create a form and navigate to 'Edit' and 'Settings.'
3. Under the 'On submit action,' select the option to "Stay on the page and display a classic JavaScript alert box with a message."
3. Enter the payload is provided: `</script><script>alert(document.domain)</script>`.
4. Save and publish by visiting the page. It will execute the payload.