Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Form Customizer:
1. Navigate to https://example.com/wp-admin/admin.php?page=GMWQP&view=form_customizer
2. Add the payload `"><script>alert(1)</script>` to any of the form fields (ex:
"email")
3. Save the changes and reload to see the XSS
Translate:
1. Navigate to https://example.com/wp-admin/admin.php?page=GMWQP&view=translate
2. Remove the `disabled` attribute from any of the Pro features
3. Add the PoC: `" style=animation-name:rotation onanimationstart=alert(/XSS/)//` to the field.
3. Save the changes and reload to see the XSS