The plugin does not sanitise user input when creating or editing a business in the dashboard, allowing high privilege users (Editor+) to set XSS payloads in various fields.
Login as an editor or admin, then add/edit a business and set the phone number as "><img src onerror=alert(`XSS`)>
The payload will then be executed in the business list dashboard.
Other affected fields: Country, State, Social media url, E-mail, City, Zip, Address, Location and Hours