The plugin does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue
As author, put the following payload in the Settings > Integration > Use Google reCaptcha (Yes) > Site Key: v < 6.3.3 - "> v < 6.3.5 - " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when any authorised user (such as another author, or admin) adds/edit a Poll