The plugin does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. When creating a new Question Pot, you can inject an XSS payload like "> in the Quiz Name. 2. When adding a new quiz, you can inject an XSS payload like "> in the Quiz Name. 3. When managing the plugin’s Email Setting, you can inject an XSS payload like "> in the “And from this name” field.