The plugin does not sanitize and escape the form_id field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
https://example.com/wp-admin/admin.php?page=cfx-form&form_id=66%3F"onmouseover=alert(1)//