The plugin does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey
jQuery.post(“https://example.com/wp-admin/admin-ajax.php?action=save_global_setting”,{ ps_global_options:{ps_options_custom_css:"body{background-color:blue !important;}alert(/XSS/)