The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the “Quotes list” even when the unfiltered_html capability is disallowed
Add/edit a quote (/wp-admin/options-general.php?page=iqr-settings) and put the following payload in the Title or Content: <script>alert(/XSS/)</script>