Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Form Customizer: 1. Navigate to https://example.com/wp-admin/admin.php?page=GMWQP&view;=form_customizer 2. Add the payload ">
to any of the form fields (ex: “email”) 3. Save the changes and reload to see the XSS Translate: 1. Navigate to https://example.com/wp-admin/admin.php?page=GMWQP&view;=translate 2. Remove the disabled
attribute from any of the Pro features 3. Add the PoC: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
to the field. 3. Save the changes and reload to see the XSS