Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
1. Add a new quiz.
2. Under the created quiz, click on "Questions".
3. Add a question and enter a payload like "<script>alert(1)</script>" for the question and message fields.
4. Save and see the XSS on the frontend of the site when the shortcode is added.