The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
Create/edit a form, go to the Form Settings -> General Settings and put the following payload in the “Form Name”, “Form Description” and “Successful form submission message”: , and tick the “Enable Form Title / Name on Front End” as well as “Enable Form Description Front End” checkboxes Save the form. The XSS will be triggered in pages/post where the form is embed, and after the form is sent