Description The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks
Have a subscriber open an HTML file containing the following:
See the XSS when logged in as an admin and viewing recorded votes.