Description The plugin does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
1. Go to to Quizzes & Surveys
2. Add/edit a question on a Quiz, and put the following payload in the answer field: <img src=x onerror=alert(/XSS/)>
5. Add the Quiz to a post (via Add block for example) and save
The XSS will be triggered when any user will edit the post and click on the Quiz