The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to plugin settings under "WPBot Lite > Simple Text Responses"
2. Enter the payload `Test Query" onmouseover="alert(1)"` for the Query, Keyword, and/or Intent fields.
3. Save settings and move your mouse over the fields to see the XSS.