The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
When there is at least one submission: https://example.com/wp-admin/edit.php?post_type=elementor_cf_db&page;=sb_elem_cfd&form;_id=“> https://example.com/wp-admin/edit.php?post_type=elementor_cf_db&page;=sb_elem_cfd&form;_name=”>