Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
To replicate this vulnerability, follow these steps:
1. Go to the plugin dashboard, click "Add New" form.
2. Under "Field Name", enter "Name" and under "Field Type", select "Name", then click "Save Form".
3. Navigate to the form list, click "Edit" under the form you created.
4. In the "Field Name" section, change "Name" to the following payload: `<script>alert(document.domain)</script>` and click "Update Form".
5. Navigate back to the form list, copy the shortcode, publish it on a new page, and visit the page. This will trigger the XSS payload.