The plugin does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Within Settings > Qwizcards > Qwizcardsa Option, put the following payload in the Qwizcards-content HTML field
v < 3.61 - "><script>alert(/XSS/)</script>
v < 3.62 - " autofocus onfocus=alert(/XSS/)//