The plugin does not sanitise and escape its Form’s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Create/edit a form, add the following payload to a Field Label: <script>alert(/XSS/)</script>
The XSS will be triggered when viewing/previewing the Form