The plugin does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in the Quiz Url Slug setting: "> Create a quiz and publish it. The XSS will be triggered when editing the Quizz (ie wp-admin/admin.php?page=mlw_quiz_options&quiz;_id=4), or accessing the Quizzes/Surveys page (/wp-admin/admin.php?page=mlw_quiz_list)