The plugin does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a form, add a Custom Text field, put the following payload in it: , save the field and update the form The XSS will be triggered in page/post where the form is embed