Datas from checkboxes are not escaped and validated when added to database (contact_bank_frontend-class.php lines 102-123).
If form has at least one checkbox field we can add XSS to it, which be visible for admin: wp-admin/admin.php?page=frontend_data
Proof of Concept:
We assume that form has one checkbox, named 11111_chk and form ID=1
- 14-10-2014: Discovered
- 14-10-2014: Vendor notified
- 14-10-2014: Version 2.0.70 released, issue resolved