Poll Maker < 4.0.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed

PoC

Put the following payload in any of the Mailchimp integration settings (/wp-admin/admin.php?page=poll-maker-ays-settings&ays;_poll_tab=tab2) and save: ">