The plugin does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks.
1. Go to Quiz ยป Add Categories.
2. Inset a category with the payload as name: <script>alert(1)</script>.
3. The XSS will be trigged when accessing the Add Categories dashboard again.