WordPress Quiz And Survey Master 4.7.8 / 4.5.4 XSS / CSRF

Software: Quiz And Survey Master (Formerly Quiz Master Next)
Version: 4.5.4,4.7.8
Homepage: https://wordpress.org/plugins/quiz-master-next/
Advisory report: https://security.dxw.com/advisories/csrfstored-xss-in-quiz-and-survey-master-formerly-quiz-master-next-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

CSRF/stored XSS in Quiz And Survey Master (Formerly Quiz Master Next) allows unauthenticated attackers to do almost anything an admin can

A CSRFA vulnerabilityA allows an unauthenticated attacker to add questions to existing quizzes.
The question_name parameter is put into a manually-constructed JavaScript objectA and escaped with esc_js() (php/qmn_options_questions_tab.php line 499). If the user (or attacker) creates a new question on a quizA containingA aa in the question_name field then aquestion: aa,a will get outputA inside the JS object. All good so far.
However, inA js/admin_question.js on line 205, we see this line, as part of some JS-generated HTML: