The plugin does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs
As an unauthenticated user, open the following URL https://example.com/?s="><script>alert(/XSS/)</script>
The XSS will be triggered when an admin view the Real Time menu and click on the related access log.